1 files changed, 142 insertions, 0 deletions

diff --git a/Get-MachineAccountCreator.ps1 b/Get-MachineAccountCreator.ps1
new file mode 100644
index 0000000..99f0480
--- /dev/null
+++ b/Get-MachineAccountCreator.ps1
@@ -0,0 +1,142 @@
+function Get-MachineAccountCreator
+{
+    <#
+    .SYNOPSIS
+    This function leverages the ms-DS-CreatorSID property on machine accounts to return a list
+    of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only
+    populated when a machine account is created by an unprivileged user. 
+
+    .DESCRIPTION
+    This function can be used to see how close a user is to a ms-DS-MachineAccountQuota before
+    using New-MachineAccount.
+    
+    Author: Kevin Robertson (@kevin_robertson)  
+    License: BSD 3-Clause 
+
+    .PARAMETER Credential
+    Credentials for LDAP.
+
+    .PARAMETER DistinguishedName
+    Distinguished name for the computers OU.
+
+    .PARAMETER Domain
+    The targeted domain. This parameter is mandatory on a non-domain system.
+
+    .PARAMETER DomainController
+    Domain controller to target.
+
+    .EXAMPLE
+    Get-MachineAccountCreator
+
+    .EXAMPLE
+    $user_account_password = ConvertTo-SecureString 'Winter2018!' -AsPlainText -Force
+    $user_account_creds = New-Object System.Management.Automation.PSCredential('domain\user',$user_account_password)
+    Get-MachineAccountCreator -Credential $user_account_creds
+
+    .LINK
+    https://github.com/Kevin-Robertson/Powermad
+    #>
+
+    [CmdletBinding()]
+    param
+    (
+        [parameter(Mandatory=$false)][String]$DistinguishedName,
+        [parameter(Mandatory=$false)][String]$Domain,
+        [parameter(Mandatory=$false)][String]$DomainController,
+        [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+    )
+
+    if(!$DomainController)
+    {
+
+        try
+        {
+            $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
+            $DomainController = $current_domain.DomainControllers[0].Name
+            $domain = $current_domain.Name
+        }
+        catch
+        {
+            Write-Output "[-] domain controller not located"
+            throw
+        }
+
+    }
+
+    if(!$Domain)
+    {
+
+        try
+        {
+            $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
+        }
+        catch
+        {
+            $error_message = $_.Exception.Message
+            $error_message = $error_message -replace "`n",""
+            Write-Output "[-] $error_message"
+            throw
+        }
+
+    }
+
+    if(!$DistinguishedName)
+    {
+
+        $distinguished_name = "CN=Computers"
+
+        $DC_array = $Domain.Split(".")
+
+        ForEach($DC in $DC_array)
+        {
+            $distinguished_name += ",DC=$DC"
+        }
+
+    }
+    else 
+    {
+        $distinguished_name = "$DistinguishedName"
+    }
+
+    if($Credential)
+    {
+        $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password)
+    }
+    else
+    {
+        $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name"
+    }
+    
+    $machine_account_searcher = New-Object DirectoryServices.DirectorySearcher 
+    $machine_account_searcher.SearchRoot = $directory_entry  
+    $machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"}  
+    $creator_object_list = @()
+                                                
+    ForEach($account in $machine_accounts)
+    {
+        $creator_SID_object = $account.properties."ms-ds-creatorsid"
+
+        if($creator_SID_object)
+        {
+            $creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value
+            $creator_object = New-Object PSObject
+
+            try
+            {
+                $creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value
+                Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username
+            }
+            catch
+            {
+                Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID
+            }
+            
+            Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0]
+            $creator_object_list += $creator_object
+            $creator_SID_object = $null
+        }
+
+    }
+
+    Write-Output $creator_object_list | Sort-Object -property @{Expression = {$_.Creator}; Ascending = $false}, "Machine Account" | Format-Table -AutoSize
+}
\ No newline at end of file