public IResult Collect(SearchString searchstring)
{
NestedGMSearchString searchString = (NestedGMSearchString)searchstring;
_logger.Debug($"Collecting Nested Group Membership for {searchString.SAMAccountName}");
List <string> groupList = new List <string>();
Dictionary <string, string> groupMap = new Dictionary <string, string>();
string nameFilter = $"(sAMAccountName={searchString.SAMAccountName})";
var ldapSearchString = new LDAPSearchString {
DN = Searcher.LdapInfo.RootDN, Filter = nameFilter, Scope = SearchScope.Subtree
};
var resultEntry = Searcher.GetResultEntry(ldapSearchString);
if (resultEntry == null)
{
return(null);
}
using (var userEntry = (Searcher.GetDirectoryEntry(resultEntry.DistinguishedName)))
{
//https://www.morgantechspace.com/2015/08/active-directory-tokengroups-vs-memberof.html
//Use RefreshCach to get the constructed attribute tokenGroups.
userEntry.RefreshCache(new string[] { "tokenGroups" });
foreach (byte[] sid in userEntry.Properties["tokenGroups"])
{
string groupSID = new SecurityIdentifier(sid, 0).ToString();
string groupName = Helper.SIDNameSID(groupSID);
groupList.Add(groupName);
groupMap.Add(groupSID, groupName);
}
}
//Somehow these groups are missing
groupMap.Add("S-1-5-11", @"NT AUTHORITY\Authenticated Users");
groupMap.Add("S-1-5-15", @"NT AUTHORITY\This Organization");
UserSIDNameDictionary.Add(searchString.SAMAccountName.ToUpper(), groupMap);
return(new ListResult {
Title = searchString.Title, Result = groupList
});
}
public static AuthorizationRuleCollection GetAuthorizationRules(string targetDn, out string ownerSID)
{
logger.Debug($"Getting Authorization Rules for {targetDn}");
try
{
using (var aclEntry = Searcher.GetDirectoryEntry(targetDn))
{
ActiveDirectorySecurity sec = aclEntry.ObjectSecurity;
ownerSID = sec.GetOwner(typeof(SecurityIdentifier)).ToString();
AuthorizationRuleCollection rules = sec.GetAccessRules(true, true, typeof(SecurityIdentifier));
return(rules);
}
}
catch
{
logger.Error($"Cannot get authorization data on {targetDn}");
ownerSID = null;
return(null);
}
}
//1. Iterate each OU/Domain/Site: "gplink" & "gpoptions"
//2. Find GPOs that are linked to each OU/Domain/Site
//3. Iterate each GPO to find out if they have WMI filters: "gPCWQLFilter"
//4. Find the WMI policy and check if the policy is filtered out: "msWMI-Parm2"
public IResult Collect(SearchString searchstring)
{
AppliedGPOSearchString searchString = (AppliedGPOSearchString)searchstring;
var ouList = CollectMyOUs(searchString.SAMAccountName);
if (ouList == null)
{
return(null);
}
AppliedGPOs = new Dictionary <string, Dictionary <string, string> >();
Regex gpoRx = new Regex(@"=(\{.+?\}),", RegexOptions.Compiled);
Regex gpoptionRx = new Regex(@";(\d)", RegexOptions.Compiled);
foreach (string ouDN in ouList)
{
bool isBlocking = false;
bool isEnforced = false;
bool isDenied = false;
var linkedGPOs = new Dictionary <string, string>();
using (var ouEntry = Searcher.GetDirectoryEntry(ouDN))
{
//Linked GPOs & Enforcement
if (ouEntry.Properties.Contains("gplink"))
{
string[] gplinkArrary = Regex.Split(ouEntry.Properties["gplink"][0].ToString(), @"\]\[");
if (gplinkArrary == null)
{
break;
}
foreach (var gplinkString in gplinkArrary)
{
if (gplinkString.Replace(" ", "") == string.Empty)
{
continue;
}
Match matchGPO = gpoRx.Match(gplinkString);
Match matchGpoption = gpoptionRx.Match(gplinkString);
string gpoID = matchGPO.Groups[1].ToString().ToUpper();
//[LDAP://cn={E8D8C72C-3AAB-496C-90CD-C5F44F0AF10C},cn=policies,cn=system,DC=corplab,DC=local;0]
//0: Default: The GPO Link is not ignored and is not an enforced GPO.
//1: The GPO Link MUST be ignored.
//2: The GPO Link is an enforced GPO.
isEnforced = (int.Parse(matchGpoption.Groups[1].ToString()) == 2);
string gpoDn = "CN=" + gpoID + ",CN=Policies,CN=System," + Searcher.LdapInfo.RootDN;
try//in case the gpo was deleted
{
string gpoName = GPO.GroupPolicies[gpoID];
//SecurityFiltering: Check if the target GPO applied to the current user
isDenied = IsDeniedPolicy(searchString.SAMAccountName, gpoDn);
gpoName = isDenied ? (gpoName + " [X Denied]") : gpoName;
gpoName = isEnforced ? (gpoName + " [Enforced]") : gpoName;
linkedGPOs.Add(gpoID, gpoName);
}
catch { _logger.Warn($"GPO {gpoID} was probably deleted."); }
}
}
//If a OU blocks inheritance
if (ouEntry.Properties.Contains("gpOptions"))
{
//OUs that block inheritance will only ignore non-enforecd GPO
//OU Attribute: gPOptions=1 Block Inheritance
isBlocking = (int)ouEntry.Properties["gpOptions"][0] == 1;
}
}
string ou = isBlocking ? (ouDN + " [Blocking Inheritance]") : ouDN;
AppliedGPOs.Add(ou, linkedGPOs);
}
return(new DDResult {
Title = searchString.Title, Result = AppliedGPOs
});
}
