Question about JEA Role Capabilities file configuration

sam-boutros · March 9, 2020, 1:56pm

I need to create a JEA PowerShell end point that does one thing: copies the sid of the source input AD user to the target AD user ‘sidhistory’ attribute.

Reading the source AD user ‘sid’ or ‘objectsid’ property is fairly simple via Get-ADUser as in

Get-ADUser 'samb' -properties sid,objectsid,sidhistory

The AD user object ‘sidhistory’ attribute “is protected and cannot be written to”. For example:

Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHistory'=$strSourceSID} -Credential $TargetCred -Server $TargetDC

Set-ADUser : Access is denied
At line:1 char:13
+             Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHis ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : PermissionDenied: (xxxxxxx:ADUser) [Set-ADUser], UnauthorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.SetADUser

It seems the only way Microsoft offers to write to the sidhistory attribute is to use the 20 year old COM object of the SIDCloner.dll, invoking its CloneSid method as in

[System.Reflection.Assembly]::LoadFile("c:\temp\SIDCloner.dll") | Out-Null
[WinTools.SidCloner]::CloneSid($srcAcctID, $srcDomain, $srcDC, $srcCred.UserName, $srcCred.Password, $tgtAcctID, $tgtDomain, $tgtDC, $tgtCred.UserName, $tgtCred.Password)

Question 1:

Does anyone know of a way to write to the sidhistory attribute other than this!!??

Question 2:
If I’m to automate this via JEA access point deployed on the PDC emulator of the target AD domain running under a Virtual Account (which would be a domain admin - solving the requirement of a domain admin at the target domain), and

putting aside the requirement for a domain admin at the source domain (there’s no reason to require a domain admin to read the source sid, but anyway…), how would I configure the JEA Role capabilities file?
For example:

@{

# ID used to uniquely identify this document
GUID = 'bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe'

# Author of this document
Author = 'Sam Boutros'

# Description of the functionality provided by these settings
# Description = ''

# Company associated with this document
CompanyName = 'Company'

# Copyright statement for this document
Copyright = '(c) 2020 Company. All rights reserved.'

# Modules to import when applied to a session
# ModulesToImport = 'ActiveDirectory'

# Aliases to make visible when applied to a session
# VisibleAliases = 'Item1', 'Item2'

# Cmdlets to make visible when applied to a session
# VisibleCmdlets = 'Get-*', 'Unlock-ADAccount', 'Write-Output'

# Functions to make visible when applied to a session
# VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }

# External commands (scripts and applications) to make visible when applied to a session
# VisibleExternalCommands = 'c:\Windows\System32\whoami.exe'

# Providers to make visible when applied to a session
# VisibleProviders = 'Item1', 'Item2'

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# Aliases to be defined when applied to a session
# AliasDefinitions = @{ Name = 'Alias1'; Value = 'Invoke-Alias1'}, @{ Name = 'Alias2'; Value = 'Invoke-Alias2'}

# Functions to define when applied to a session
# FunctionDefinitions = @{ Name = 'MyFunction'; ScriptBlock = { param($MyInput) $MyInput } }

# Variables to define when applied to a session
# VariableDefinitions = @{ Name = 'Variable1'; Value = { 'Dynamic' + 'InitialValue' } }, @{ Name = 'Variable2'; Value = 'StaticInitialValue' }

# Environment variables to define when applied to a session
# EnvironmentVariables = @{ Variable1 = 'Value1'; Variable2 = 'Value2' }

# Type files (.ps1xml) to load when applied to a session
# TypesToProcess = 'C:\ConfigData\MyTypes.ps1xml', 'C:\ConfigData\OtherTypes.ps1xml'

# Format files (.ps1xml) to load when applied to a session
# FormatsToProcess = 'C:\ConfigData\MyFormats.ps1xml', 'C:\ConfigData\OtherFormats.ps1xml'

# Assemblies to load when applied to a session
# AssembliesToLoad = 'System.Web', 'System.OtherAssembly, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'

}

Specifically:

Can ‘AssembliesToLoad’ be used to allow loading c:\temp\SIDCloner.dll as in the code above?
How do I specify that [WinTools.SidCloner]::CloneSid is the only method that can be invoked off this COM object?

bo1 · March 10, 2020, 10:03am

Regarding how to configure the Role Capabilities file, could you create a script to load the assembly and invoke the CloneSid method that way? In that case you could use the configurations under line 37. Just another perspective I thought I would share for you to consider.

Topic		Replies	Views
Newbie and need a little help copying custom attribute data over to another PowerShell Help	4	129	February 12, 2017
Get Sid Script not working PowerShell Help	1	168	October 29, 2019
Query AD using SID PowerShell Help	2	108	September 25, 2013
Copy a multi-valued Active Directory attribute, (AltSecurityIdentities) from one user to another PowerShell Help	3	223	April 3, 2022
input object from csv into active directory attribute PowerShell Help	2	148	June 19, 2017

Question about JEA Role Capabilities file configuration

Related Topics