blob: 788674cf653d2f654d81c055d96fee4422cb1f96 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
function Get-MachineAccountCreator
{
<#
.SYNOPSIS
This function leverages the ms-DS-CreatorSID property on machine accounts to return a list
of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only
populated when a machine account is created by an unprivileged user. Note that SIDs will be returned
over usernames if SID to username lookups fail through System.Security.Principal.SecurityIdentifier.
.DESCRIPTION
This function can be used to see how close a user is to a ms-DS-MachineAccountQuota before
using New-MachineAccount.
Author: Kevin Robertson (@kevin_robertson)
License: BSD 3-Clause
.PARAMETER Credential
Credentials for LDAP.
.PARAMETER DistinguishedName
Distinguished name for the computers OU.
.PARAMETER Domain
The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter
requires a DNS domain name and not a NetBIOS version.
.PARAMETER DomainController
Domain controller to target. This parameter is mandatory on a non-domain attached system.
.EXAMPLE
Get-MachineAccountCreator
.EXAMPLE
$user_account_password = ConvertTo-SecureString 'Spring2018!' -AsPlainText -Force
$user_account_creds = New-Object System.Management.Automation.PSCredential('domain\user',$user_account_password)
Get-MachineAccountCreator -Credential $user_account_creds
.LINK
https://github.com/Kevin-Robertson/Powermad
#>
[CmdletBinding()]
param
(
[parameter(Mandatory=$false)][String]$DistinguishedName,
[parameter(Mandatory=$false)][String]$Domain,
[parameter(Mandatory=$false)][String]$DomainController,
[parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
)
if(!$DomainController)
{
try
{
$DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name
}
catch
{
Write-Output "[-] domain controller not located"
throw
}
}
if(!$Domain)
{
try
{
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
}
catch
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
Write-Output "[-] $error_message"
throw
}
}
if(!$DistinguishedName)
{
$distinguished_name = "CN=Computers"
$DC_array = $Domain.Split(".")
ForEach($DC in $DC_array)
{
$distinguished_name += ",DC=$DC"
}
}
else
{
$distinguished_name = "$DistinguishedName"
}
Write-Verbose "[+] Distinguished Name=$distinguished_name"
try
{
if($Credential)
{
$directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password)
}
else
{
$directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name"
}
$machine_account_searcher = New-Object DirectoryServices.DirectorySearcher
$machine_account_searcher.SearchRoot = $directory_entry
$machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"}
$creator_object_list = @()
ForEach($account in $machine_accounts)
{
$creator_SID_object = $account.properties."ms-ds-creatorsid"
if($creator_SID_object)
{
$creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value
$creator_object = New-Object PSObject
try
{
$creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value
Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username
}
catch
{
Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID
}
Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0]
$creator_object_list += $creator_object
$creator_SID_object = $null
}
}
}
catch
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
Write-Output "[-] $error_message"
throw
}
Write-Output $creator_object_list | Sort-Object -property @{Expression = {$_.Creator}; Ascending = $false}, "Machine Account" | Format-Table -AutoSize
}
|