问题描述
更新:因此,我更改了脚本中的某些信息,并且在以域管理员身份运行脚本时它可以按预期工作,但是我宁愿不给予服务帐户“ DA权限”(如果可以避免的话),我只是不理解为什么服务帐户没有使用我在组策略中授予的权利来拥有所有权,我还有其他事情要做吗?
这是更新的代码:
$NewOwner = (Get-ADServiceAccount SVC._DA001).samAccountName
$Domains = (Get-ADForest).Domains
ForEach($Domain in $Domains){
$Identities1 = Get-Adobject -Filter * -Server $Domain -Properties objectClass | Where {$_.objectClass -eq $null}
$Identities2 = Get-ADComputer -Filter * -Properties samAccountName,memberOf,adminCount -Server $Domain | Where {$_.adminCount -lt 1}
$Identities3 = Get-ADGroup -Filter * -Properties samAccountName,adminCount -Server $Domain | Where {$_.adminCount -lt 1}
$Identities4 = Get-ADServiceAccount -Filter * -Properties samAccountName,adminCount -Server $Domain | Where {$_.adminCount -lt 1}
$Identities5 = Get-ADUser -Filter * -Properties samAccountName,adminCount -Server $Domain | Where {$_.adminCount -lt 1}
$basedn = (Get-ADDomain $Domain).distinguishedname
$Server = (Get-ADDomainController -Server $Domain).name
Import-Module ActiveDirectory
New-PSDrive -Name ADDOM -PSProvider ActiveDirectory -Server $Domain -Scope Global -Root "//ROOTDSE/" | Out-Null
if (!($Identities1 -eq $null)){
foreach ($obj in $Identities1) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path "ADDOM:CN=Users,$basedn"
$acl.Setowner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
}
foreach ($obj in $Identities2) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.Setowner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities3) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.Setowner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities4) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.Setowner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities5) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.Setowner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
Remove-PSDrive ADDOM
}
此PS脚本有问题。我试图用它来查找所有活动目录对象并获得它们的所有权,以及重置已添加到对象的所有自定义权限。
这样做的原因是为了防止较低级别的管理员为不应对此对象拥有权限的个人/组添加任何后门权限。
我还将用于此过程的服务帐户也添加到了“获取文件和其他对象的所有权”组策略权限中,因此应该没有问题。
$NewOwner = (Get-ADServiceAccount SVC._DA001).samAccountName
$Domains = (Get-ADForest).Domains
ForEach($Domain in $Domains){
$Identities1 = Get-Adobject -Filter * -Server $Domain -Properties objectClass | Where {$_.objectClass -eq $null}
$Identities2 = Get-ADComputer -Filter * -Properties samAccountName,adminCount -Server $Domain | Where {$_.adminCount -lt 1}
$basedn = (Get-ADDomain $Domain).distinguishedname
if ($Identities1){
$Identities = $Identities1 + $Identities2 + $Identities3 + $Identities4 + $Identities5
}
Else{
$Identities = $Identities2 + $Identities3 + $Identities4 + $Identities5
}
$Server = (Get-ADDomainController -Server $Domain).name
Import-Module ActiveDirectory
New-PSDrive -Name ADDOM -PSProvider ActiveDirectory -Server $Domain -Scope Global -Root "//ROOTDSE/" | Out-Null
foreach ($obj in $Identities) {
$DN = $obj.distinguishedname
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path "ADDOM:CN=Users,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
Remove-PSDrive ADDOM
}
解决方法
这是代码的v001,到目前为止,我还没有遇到任何问题。我很可能会重新访问此代码,并通过ImportExcel模块添加报告,但现在...
Try {
[void][TokenAdjuster]
} Catch {
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;
public class TokenAdjuster
{
[DllImport("advapi32.dll",ExactSpelling = true,SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok,bool disall,ref TokPriv1Luid newst,int len,IntPtr prev,IntPtr relen);
[DllImport("kernel32.dll",ExactSpelling = true)]
internal static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll",SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h,int acc,ref IntPtr
phtok);
[DllImport("advapi32.dll",SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host,string name,ref long pluid);
[StructLayout(LayoutKind.Sequential,Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null,privilege,ref tp.Luid);
retVal = AdjustTokenPrivileges(htok,false,ref tp,IntPtr.Zero,IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
public static bool RemovePrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc,ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_DISABLED;
retVal = LookupPrivilegeValue(null,IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
}
"@
Add-Type $AdjustTokenPrivileges
}
#Activate necessary admin privileges to make changes without NTFS perms
[void][TokenAdjuster]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
[void][TokenAdjuster]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
[void][TokenAdjuster]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions
$NewOwner = (Get-ADServiceAccount SVC._DA001).samAccountName
$Domains = (Get-ADForest).Domains
ForEach($Domain in $Domains){
$Identities1 = Get-ADObject -Filter * -Server $Domain -Properties objectClass,CanonicalName | Where {$_.objectClass -eq $null}
$Identities2 = Get-ADComputer -Filter * -Properties samAccountName,memberOf,adminCount,CanonicalName,objectClass -Server $Domain | Where {$_.adminCount -lt 1}
$Identities3 = Get-ADGroup -Filter * -Properties samAccountName,objectClass -Server $Domain | Where {$_.adminCount -lt 1}
$Identities4 = Get-ADServiceAccount -Filter * -Properties samAccountName,objectClass -Server $Domain | Where {$_.adminCount -lt 1}
$Identities5 = Get-ADUser -Filter * -Properties samAccountName,objectClass -Server $Domain | Where {$_.adminCount -lt 1}
$baseDN = (Get-ADDomain $Domain).DistinguishedName
$Server = (Get-ADDomainController -Server $Domain).name
Import-Module ActiveDirectory
New-PSDrive -Name ADDOM -PSProvider ActiveDirectory -Server $Domain -Scope Global -Root "//ROOTDSE/" | Out-Null
if (!($Identities1 -eq $null)){
foreach ($obj in $Identities1) {
$DN = $obj.distinguishedName
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path "ADDOM:CN=Users,$baseDN"
$acl.SetOwner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
}
foreach ($obj in $Identities2) {
$DN = $obj.distinguishedName
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.SetOwner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities3) {
$DN = $obj.distinguishedName
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.SetOwner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities4) {
$DN = $obj.distinguishedName
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.SetOwner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
foreach ($obj in $Identities5) {
$DN = $obj.distinguishedName
if (!($obj.memberOf -like "*Permissions Auditor Exemption*"))
{
Write-Host $DN
#First Set the Owner to the SVC Account.
$acl = get-acl -Path ADDOM:$DN
$acl.SetOwner([Security.Principal.NTaccount]($NewOwner))
set-acl -path ADDOM:$DN -AclObject $acl
Start-Sleep -s 2
# get explicit permissions
$acl = Get-Acl -Path ADDOM:$DN
# Set inheritance to true
$acl.SetAccessRuleProtection($false,$false)
$acl.Access |
# ...find all not inherited permissions.
Where-Object { $_.isInherited -eq $false } |
# ...and remove them
ForEach-Object { $acl.RemoveAccessRule($_) }
# set new permissions
$acl | Set-Acl -Path ADDOM:$DN
}
}
Remove-PSDrive ADDOM
}