I need to create a JEA PowerShell end point that does one thing: copies the sid of the source input AD user to the target AD user ‘sidhistory’ attribute.
Reading the source AD user ‘sid’ or ‘objectsid’ property is fairly simple via Get-ADUser as in
Get-ADUser 'samb' -properties sid,objectsid,sidhistory
The AD user object ‘sidhistory’ attribute “is protected and cannot be written to”. For example:
Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHistory'=$strSourceSID} -Credential $TargetCred -Server $TargetDC Set-ADUser : Access is denied At line:1 char:13 + Set-ADUser -Identity $TargetsAMAccountName -Add @{'SIDHis ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (xxxxxxx:ADUser) [Set-ADUser], UnauthorizedAccessException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.SetADUser
It seems the only way Microsoft offers to write to the sidhistory attribute is to use the 20 year old COM object of the SIDCloner.dll, invoking its CloneSid method as in
[System.Reflection.Assembly]::LoadFile("c:\temp\SIDCloner.dll") | Out-Null [WinTools.SidCloner]::CloneSid($srcAcctID, $srcDomain, $srcDC, $srcCred.UserName, $srcCred.Password, $tgtAcctID, $tgtDomain, $tgtDC, $tgtCred.UserName, $tgtCred.Password)
Question 1:
Does anyone know of a way to write to the sidhistory attribute other than this!!??
Question 2:
If I’m to automate this via JEA access point deployed on the PDC emulator of the target AD domain running under a Virtual Account (which would be a domain admin - solving the requirement of a domain admin at the target domain), and
putting aside the requirement for a domain admin at the source domain (there’s no reason to require a domain admin to read the source sid, but anyway…), how would I configure the JEA Role capabilities file?
For example:
@{ # ID used to uniquely identify this document GUID = 'bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe' # Author of this document Author = 'Sam Boutros' # Description of the functionality provided by these settings # Description = '' # Company associated with this document CompanyName = 'Company' # Copyright statement for this document Copyright = '(c) 2020 Company. All rights reserved.' # Modules to import when applied to a session # ModulesToImport = 'ActiveDirectory' # Aliases to make visible when applied to a session # VisibleAliases = 'Item1', 'Item2' # Cmdlets to make visible when applied to a session # VisibleCmdlets = 'Get-*', 'Unlock-ADAccount', 'Write-Output' # Functions to make visible when applied to a session # VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } } # External commands (scripts and applications) to make visible when applied to a session # VisibleExternalCommands = 'c:\Windows\System32\whoami.exe' # Providers to make visible when applied to a session # VisibleProviders = 'Item1', 'Item2' # Scripts to run when applied to a session # ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1' # Aliases to be defined when applied to a session # AliasDefinitions = @{ Name = 'Alias1'; Value = 'Invoke-Alias1'}, @{ Name = 'Alias2'; Value = 'Invoke-Alias2'} # Functions to define when applied to a session # FunctionDefinitions = @{ Name = 'MyFunction'; ScriptBlock = { param($MyInput) $MyInput } } # Variables to define when applied to a session # VariableDefinitions = @{ Name = 'Variable1'; Value = { 'Dynamic' + 'InitialValue' } }, @{ Name = 'Variable2'; Value = 'StaticInitialValue' } # Environment variables to define when applied to a session # EnvironmentVariables = @{ Variable1 = 'Value1'; Variable2 = 'Value2' } # Type files (.ps1xml) to load when applied to a session # TypesToProcess = 'C:\ConfigData\MyTypes.ps1xml', 'C:\ConfigData\OtherTypes.ps1xml' # Format files (.ps1xml) to load when applied to a session # FormatsToProcess = 'C:\ConfigData\MyFormats.ps1xml', 'C:\ConfigData\OtherFormats.ps1xml' # Assemblies to load when applied to a session # AssembliesToLoad = 'System.Web', 'System.OtherAssembly, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' }
Specifically:
Can ‘AssembliesToLoad’ be used to allow loading c:\temp\SIDCloner.dll as in the code above?
How do I specify that [WinTools.SidCloner]::CloneSid is the only method that can be invoked off this COM object?