dsAclGetAces / dsGetSecProp "Trustee" returning incorrect information

Started by galaara98, April 14, 2016, 02:35:51 PM

Previous topic - Next topic


OH MY GOSH, NM.. i had a bug in the LOOP!!! WELL ill leave this here for nerd Reading.. the Flaw was in my ItemExtract(

it was using ItemExtract(1... a constant

and should have been ItemExtract(J.... a loop variable


I am getting incorrect information from a script I wrote while working with AD

This particular script reads a property on a group Managed Service Account, however I suppose the flaw could surface anywhere the property value is a "DiscretionaryAcl"  I am having issues when the "DiscretionaryAcl" contains 2 or more "Trustee", that are different, the Winbatch code is returning all Trustees as the same object, while all other code shows them as the two different ones I set.

Here is the scenario (can be reproduced in lab, and does not required the gMSA account to actually function, just read its configuration back in Winbatch after creation)
1)   I have a Windows 2012R2 Domain Controller, and using PowerShell on the DC:
2)   I have created a gMSA (group Managed Service Account)
.    a.   If not already done so you must ONCE per FOREST configure/enable the Microsoft Key Distribution Center (https://technet.microsoft.com/en-us/library/jj128430.aspx)
.        i.   If ONLY one or 2 HIGH connected DCs (like lab)
.            1.   Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
.        ii.   else
.            1.   Add-KdsRootkey -EffectiveImmediately #wait 10 hours
.    b.   New-adserviceaccount -name SrvAcc1 -dnshostname SvrAcc1.fqdnofthisdomain.loc
3)   Authorize multiple AD entities to be able to read the Service Account Password (normally these are computer objects, but if the ONLY computer in your lab is a single DC, then it could be a user also)
.    a.   $Principals = @() #create a blank array
.    b.   $Principals += get-adcomputer computer1
.    c.   $Principals += get-adcomputer computer2
.       Or += get-aduser user1, or $principals = get-adcomputer filter {something that would produce 2 computers}
.    d.   Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword $principals
4)   The result of this is an object in AD that is not a ââ,¬Å"userââ,¬Â, but is an ObjectClass of ââ,¬ËœmsDS-GroupManagedServiceAccountââ,¬â,,¢, that has an attribute called msDS-GroupMSAMembership which contains a DACL

5)   In Winbatch Version: 2016A, WWADS64I version: 44020, Windows 7 64bit, ADSI client (DSClient) version:
ADSIPATH = dsFindPath(ââ,¬Å"LDAP://dc.fqdn.locââ,¬Â,ââ,¬Â(sAMAccountName=svracc1$)ââ,¬Â); yes the samaccountame has a $ at the end.. Schema reason for that, but...some other day

SecSD = dsgetproperty(ADSIPath,"msDS-GroupMSAMembership")
; Get Security Descriptor properties.
secACL = dsGetSecProp( secSD, "DiscretionaryAcl")
sAceList = dsAclGetAces(secAcl, 3) ; get list of ACEs
ACEList = ""
For J = 1 to ItemCount(sAceList,@TAB)
   secACE = ItemExtract(1, sAceList, @TAB) ; get this ACE
   ; Get ACE Properties
   ACE1 = dsGetSecProp( secAce, "Trustee") ; Who
   ACE2 = dsGetSecProp( secAce, "AceType")
   if ACE2 == 0 || ACE2 == 5 then
      ACEList = ItemInsert(Ace1,-1,AceList,";")
   end if
Next J

So what I expect to see is
and what i see instead... multiple tests is

in other places (like powershell or ADSIEdit.msc) i see Computer1 and Computer2... i am only seeing this in Winbatch


Thanks for the information. We will look into it when time permits.  In the interim you may wish to consider using a PowerShell script with WinBatch  CLR hosting in your script.  Not sure if you can obtain that information using ADSI COM Automation objects but it might be another possible solution if you can.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade


Also, the ADSI extender doesn't perform any ordering  or filtering of returned aces and it is possible to have more the one ACE with the same trustee in a list.   Are you sure that the ACE for the second computer isn't just farther down the list?  Or is it just a case of two ACEs on the list with one of them being a duplicate instead of a second trustee?
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade


TD it was a bug in my logic.. The extender is fine... I edited the Original Post with my flaw.... I decided to leave the whole thing because it is a good example of the adsi extender doing cool things with native ACLs on objects

And in new code I do prefer the CLR objects.. But I first began this app like 5 years ago and to be frank I was scared to get into winbatch to .net stuff until about a year ago..now I love it


"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade