diff options
Diffstat (limited to 'Get-MachineAccountCreator.ps1')
| -rw-r--r-- | Get-MachineAccountCreator.ps1 | 92 |
1 files changed, 52 insertions, 40 deletions
diff --git a/Get-MachineAccountCreator.ps1 b/Get-MachineAccountCreator.ps1 index 99f0480..788674c 100644 --- a/Get-MachineAccountCreator.ps1 +++ b/Get-MachineAccountCreator.ps1 @@ -4,7 +4,8 @@ function Get-MachineAccountCreator .SYNOPSIS This function leverages the ms-DS-CreatorSID property on machine accounts to return a list of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only - populated when a machine account is created by an unprivileged user. + populated when a machine account is created by an unprivileged user. Note that SIDs will be returned + over usernames if SID to username lookups fail through System.Security.Principal.SecurityIdentifier. .DESCRIPTION This function can be used to see how close a user is to a ms-DS-MachineAccountQuota before @@ -20,16 +21,17 @@ function Get-MachineAccountCreator Distinguished name for the computers OU. .PARAMETER Domain - The targeted domain. This parameter is mandatory on a non-domain system. + The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter + requires a DNS domain name and not a NetBIOS version. .PARAMETER DomainController - Domain controller to target. + Domain controller to target. This parameter is mandatory on a non-domain attached system. .EXAMPLE Get-MachineAccountCreator .EXAMPLE - $user_account_password = ConvertTo-SecureString 'Winter2018!' -AsPlainText -Force + $user_account_password = ConvertTo-SecureString 'Spring2018!' -AsPlainText -Force $user_account_creds = New-Object System.Management.Automation.PSCredential('domain\user',$user_account_password) Get-MachineAccountCreator -Credential $user_account_creds @@ -51,9 +53,7 @@ function Get-MachineAccountCreator try { - $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - $DomainController = $current_domain.DomainControllers[0].Name - $domain = $current_domain.Name + $DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name } catch { @@ -68,7 +68,7 @@ function Get-MachineAccountCreator try { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name } catch { @@ -82,9 +82,7 @@ function Get-MachineAccountCreator if(!$DistinguishedName) { - $distinguished_name = "CN=Computers" - $DC_array = $Domain.Split(".") ForEach($DC in $DC_array) @@ -98,45 +96,59 @@ function Get-MachineAccountCreator $distinguished_name = "$DistinguishedName" } - if($Credential) - { - $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) - } - else - { - $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" - } - - $machine_account_searcher = New-Object DirectoryServices.DirectorySearcher - $machine_account_searcher.SearchRoot = $directory_entry - $machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"} - $creator_object_list = @() - - ForEach($account in $machine_accounts) + Write-Verbose "[+] Distinguished Name=$distinguished_name" + + try { - $creator_SID_object = $account.properties."ms-ds-creatorsid" - if($creator_SID_object) + if($Credential) { - $creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value - $creator_object = New-Object PSObject + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) + } + else + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } + + $machine_account_searcher = New-Object DirectoryServices.DirectorySearcher + $machine_account_searcher.SearchRoot = $directory_entry + $machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"} + $creator_object_list = @() + + ForEach($account in $machine_accounts) + { + $creator_SID_object = $account.properties."ms-ds-creatorsid" - try - { - $creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username - } - catch + if($creator_SID_object) { - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID + $creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value + $creator_object = New-Object PSObject + + try + { + $creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username + } + catch + { + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID + } + + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0] + $creator_object_list += $creator_object + $creator_SID_object = $null } - - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0] - $creator_object_list += $creator_object - $creator_SID_object = $null + } } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } Write-Output $creator_object_list | Sort-Object -property @{Expression = {$_.Creator}; Ascending = $false}, "Machine Account" | Format-Table -AutoSize }
\ No newline at end of file |