OH MY GOSH, NM.. i had a bug in the LOOP!!! WELL ill leave this here for nerd Reading.. the Flaw was in my ItemExtract(
it was using ItemExtract(1... a constant
and should have been ItemExtract(J.... a loop variable
Aaron
I am getting incorrect information from a script I wrote while working with AD
This particular script reads a property on a group Managed Service Account, however I suppose the flaw could surface anywhere the property value is a "DiscretionaryAcl" I am having issues when the "DiscretionaryAcl" contains 2 or more "Trustee", that are different, the Winbatch code is returning all Trustees as the same object, while all other code shows them as the two different ones I set.
Here is the scenario (can be reproduced in lab, and does not required the gMSA account to actually function, just read its configuration back in Winbatch after creation)
1) I have a Windows 2012R2 Domain Controller, and using PowerShell on the DC:
2) I have created a gMSA (group Managed Service Account)
. a. If not already done so you must ONCE per FOREST configure/enable the Microsoft Key Distribution Center (
https://technet.microsoft.com/en-us/library/jj128430.aspx)
. i. If ONLY one or 2 HIGH connected DCs (like lab)
. 1. Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
. ii. else
. 1. Add-KdsRootkey -EffectiveImmediately #wait 10 hours
. b. New-adserviceaccount -name SrvAcc1 -dnshostname SvrAcc1.fqdnofthisdomain.loc
3) Authorize multiple AD entities to be able to read the Service Account Password (normally these are computer objects, but if the ONLY computer in your lab is a single DC, then it could be a user also)
. a. $Principals = @() #create a blank array
. b. $Principals += get-adcomputer computer1
. c. $Principals += get-adcomputer computer2
. Or += get-aduser user1, or $principals = get-adcomputer filter {something that would produce 2 computers}
. d. Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword $principals
4) The result of this is an object in AD that is not a “userâ€Â, but is an ObjectClass of ‘msDS-GroupManagedServiceAccount’, that has an attribute called msDS-GroupMSAMembership which contains a DACL
5) In Winbatch Version: 2016A, WWADS64I version: 44020, Windows 7 64bit, ADSI client (DSClient) version:5.0.00.0
ADSIPATH = dsFindPath(“LDAP://dc.fqdn.locâ€Â,â€Â(sAMAccountName=svracc1$)â€Â); yes the samaccountame has a $ at the end.. Schema reason for that, but...some other day
SecSD = dsgetproperty(ADSIPath,"msDS-GroupMSAMembership")
; Get Security Descriptor properties.
secACL = dsGetSecProp( secSD, "DiscretionaryAcl")
sAceList = dsAclGetAces(secAcl, 3) ; get list of ACEs
ACEList = ""
For J = 1 to ItemCount(sAceList,@TAB)
secACE = ItemExtract(1, sAceList, @TAB) ; get this ACE
; Get ACE Properties
ACE1 = dsGetSecProp( secAce, "Trustee") ; Who
ACE2 = dsGetSecProp( secAce, "AceType")
if ACE2 == 0 || ACE2 == 5 then
ACEList = ItemInsert(Ace1,-1,AceList,";")
end if
Next J
So what I expect to see is
ACEList == "NETBIOSDOMAIN\COMPUTER1$;NETBIOSDOMAIN\COMPUTER2$"
and what i see instead... multiple tests is
ACEList == "NETBIOSDOMAIN\COMPUTER1$;NETBIOSDOMAIN\COMPUTER1$"
in other places (like powershell or ADSIEdit.msc) i see Computer1 and Computer2... i am only seeing this in Winbatch
