Question about JEA Role Capabilities file configuration

Welcome Forums General PowerShell Q&A Question about JEA Role Capabilities file configuration

Viewing 1 reply thread
  • Author
    Posts
    • #209292
      Participant
      Topics: 12
      Replies: 519
      Points: 1,194
      Helping Hand
      Rank: Community Hero

      I need to create a JEA PowerShell end point that does one thing: copies the sid of the source input AD user to the target AD user ‘sidhistory’ attribute.

      Reading the source AD user ‘sid’ or ‘objectsid’ property is fairly simple via Get-ADUser as in

      Get-ADUser 'samb' -properties sid,objectsid,sidhistory 
      

      The AD user object ‘sidhistory’ attribute “is protected and cannot be written to”. For example:

      Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHistory'=$strSourceSID} -Credential $TargetCred -Server $TargetDC
      
      Set-ADUser : Access is denied
      At line:1 char:13
      +             Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHis ...
      +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : PermissionDenied: (xxxxxxx:ADUser) [Set-ADUser], UnauthorizedAccessException
      + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.SetADUser
      

      It seems the only way Microsoft offers to write to the sidhistory attribute is to use the 20 year old COM object of the SIDCloner.dll, invoking its CloneSid method as in

      [System.Reflection.Assembly]::LoadFile("c:\temp\SIDCloner.dll") | Out-Null
      [WinTools.SidCloner]::CloneSid($srcAcctID, $srcDomain, $srcDC, $srcCred.UserName, $srcCred.Password, $tgtAcctID, $tgtDomain, $tgtDC, $tgtCred.UserName, $tgtCred.Password)
      

      Question 1:

        Does anyone know of a way to write to the sidhistory attribute other than this!!??

      Question 2:
      If I’m to automate this via JEA access point deployed on the PDC emulator of the target AD domain running under a Virtual Account (which would be a domain admin – solving the requirement of a domain admin at the target domain), and

      putting aside the requirement for a domain admin at the source domain (there’s no reason to require a domain admin to read the source sid, but anyway..), how would I configure the JEA Role capabilities file?
      For example:

      @{
      
      # ID used to uniquely identify this document
      GUID = 'bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe'
      
      # Author of this document
      Author = 'Sam Boutros'
      
      # Description of the functionality provided by these settings
      # Description = ''
      
      # Company associated with this document
      CompanyName = 'Company'
      
      # Copyright statement for this document
      Copyright = '(c) 2020 Company. All rights reserved.'
      
      # Modules to import when applied to a session
      # ModulesToImport = 'ActiveDirectory'
      
      # Aliases to make visible when applied to a session
      # VisibleAliases = 'Item1', 'Item2'
      
      # Cmdlets to make visible when applied to a session
      # VisibleCmdlets = 'Get-*', 'Unlock-ADAccount', 'Write-Output'
      
      # Functions to make visible when applied to a session
      # VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }
      
      # External commands (scripts and applications) to make visible when applied to a session
      # VisibleExternalCommands = 'c:\Windows\System32\whoami.exe'
      
      # Providers to make visible when applied to a session
      # VisibleProviders = 'Item1', 'Item2'
      
      # Scripts to run when applied to a session
      # ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
      
      # Aliases to be defined when applied to a session
      # AliasDefinitions = @{ Name = 'Alias1'; Value = 'Invoke-Alias1'}, @{ Name = 'Alias2'; Value = 'Invoke-Alias2'}
      
      # Functions to define when applied to a session
      # FunctionDefinitions = @{ Name = 'MyFunction'; ScriptBlock = { param($MyInput) $MyInput } }
      
      # Variables to define when applied to a session
      # VariableDefinitions = @{ Name = 'Variable1'; Value = { 'Dynamic' + 'InitialValue' } }, @{ Name = 'Variable2'; Value = 'StaticInitialValue' }
      
      # Environment variables to define when applied to a session
      # EnvironmentVariables = @{ Variable1 = 'Value1'; Variable2 = 'Value2' }
      
      # Type files (.ps1xml) to load when applied to a session
      # TypesToProcess = 'C:\ConfigData\MyTypes.ps1xml', 'C:\ConfigData\OtherTypes.ps1xml'
      
      # Format files (.ps1xml) to load when applied to a session
      # FormatsToProcess = 'C:\ConfigData\MyFormats.ps1xml', 'C:\ConfigData\OtherFormats.ps1xml'
      
      # Assemblies to load when applied to a session
      # AssembliesToLoad = 'System.Web', 'System.OtherAssembly, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
      
      }
      

      Specifically:

        Can ‘AssembliesToLoad’ be used to allow loading c:\temp\SIDCloner.dll as in the code above?
        How do I specify that [WinTools.SidCloner]::CloneSid is the only method that can be invoked off this COM object?

      • This topic was modified 2 months, 2 weeks ago by Sam Boutros.
      • This topic was modified 2 months, 2 weeks ago by Sam Boutros.
    • #209490
      Participant
      Topics: 4
      Replies: 90
      Points: 404
      Helping Hand
      Rank: Contributor

      Regarding how to configure the Role Capabilities file, could you create a script to load the assembly and invoke the CloneSid method that way? In that case you could use the configurations under line 37. Just another perspective I thought I would share for you to consider.

       

Viewing 1 reply thread
  • You must be logged in to reply to this topic.