Skip to content

Always use computer domain to bind to RootDSE#1345

Merged
bill-long merged 6 commits into
mainfrom
bilong-rootDSE
Nov 11, 2022
Merged

Always use computer domain to bind to RootDSE#1345
bill-long merged 6 commits into
mainfrom
bilong-rootDSE

Conversation

@bill-long
Copy link
Copy Markdown
Member

@bill-long bill-long commented Nov 10, 2022

Issue:
If a user is logged in to a machine in the Exchange forest using a user account from a trusted forest, binding to LDAP://RootDSE gives us the user forest.

Fix:
Get the computer's domain and explicitly bind to that RootDSE.

@bill-long bill-long requested a review from a team as a code owner November 10, 2022 23:06
dpaulson45
dpaulson45 reviewed Nov 11, 2022
View reviewed changes
Comment thread Setup/SetupAssist/Checks/Domain/Test-ExchangeADSetupLevel.ps1
@dpaulson45
Copy link
Copy Markdown
Member

dpaulson45 commented Nov 11, 2022

Should probably do the same thing for $rootDSE = [ADSI]("GC://RootDSE") as well.

@lusassl-msft
Copy link
Copy Markdown
Contributor

lusassl-msft commented Nov 11, 2022
edited
Loading

I'm wondering if we need to adjust the Test-CVE-2021-34470.ps1 function as well.

$schemaMaster = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().SchemaRoleOwner

GetCurrentForest() --> Gets a Forest object for the current user context.
https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.forest.getcurrentforest?view=netframework-4.7.2#system-directoryservices-activedirectory-forest-getcurrentforest

@lusassl-msft lusassl-msft added Enhancement New feature or request Health Checker Setup Assist This item is for local server settings and environment checks that cause issues for setup Shared Function labels Nov 11, 2022
@bill-long
Copy link
Copy Markdown
Member Author

bill-long commented Nov 11, 2022

Good point. In fact, all calls to GetCurrentForest() need to be changed to GetComputerDomain().Forest.

lusassl-msft
lusassl-msft approved these changes Nov 11, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@lusassl-msft lusassl-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found no other functions that use the problematic code. Tested HealthChecker and it seems to work fine with the updated calls (as the return object should be the same). Approved and ready to merge from my point of view.

@dpaulson45 dpaulson45 self-requested a review November 11, 2022 16:23
@bill-long bill-long merged commit b6d9b1c into main Nov 11, 2022
@bill-long bill-long deleted the bilong-rootDSE branch November 11, 2022 16:27
@lusassl-msft lusassl-msft mentioned this pull request Jan 18, 2023
Closed
@dpaulson45 dpaulson45 mentioned this pull request Dec 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dpaulson45 dpaulson45 dpaulson45 approved these changes

@lusassl-msft lusassl-msft lusassl-msft approved these changes

Assignees

No one assigned

Labels

Enhancement New feature or request Health Checker Setup Assist This item is for local server settings and environment checks that cause issues for setup Shared Function

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bill-long @dpaulson45 @lusassl-msft