GenericAll

GenericAll is the most easy-to-set ACE, but it's also the most dangerous one. If you gain access as an account that has GenericAll over another, it means it is also compromised. I won't mention how to abuse it here since there are tons of articles that show how to do that, but very few that show how to configure it.

Our idea is that Infrastructure Managers should have GenericAll over several accounts, since this group is a trusted one and is meant to perform domain operations without being an admin. For the sake of demonstration, I'll only apply this ACE over one user, but this task can be repeated several times over any account you want.

ADSI Edit

First of all, we must open ADSI Edit. Once in it, we go to "Action" and click "Connect to". Leave it as it is and hit OK. Once connected, browse to your target user (mine will be e.smith). Right click it, and go to "Security > Advanced".

Once there, click on "Add" and search for your principal (in this case, Infrastructure Managers).

Click on "Full control". This will give the wanted ACE.

PowerShell

If you're using the server core edition, you can also use the following script.

$MyAdmin = (get-adgroup "Infrastructure Managers").sid
$MyUser = (get-aduser e.smith)
$MyDistinguishedName = ($Myuser).distinguishedname
$MyDistinguishedNameAD = $MyDistinguishedName = "AD:$MyUser"
$MyACL= Get-ACL $MyDistinguishedNameAD
$MyADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll" # change to the preferred ACE
$MyType = [System.Security.AccessControl.AccessControlType] "Allow"
$MyInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$MyACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $MyAdmin,$MyADRights,$MyType,$MyInheritanceType
$MyACL.AddAccessRule($MyACE)
Set-acl -aclobject $MyACL $MyDistinguishedNameAD
(Get-ACL "AD:$((Get-ADUser -Identity 'e.smith').distinguishedname)").access | Select IdentityReference, AccessControlType, ActiveDirectoryRights | Where-Object  {$_.ActiveDirectoryRights -contains "GenericAll"}

However, from past experience, this method is not as reliable as using ADSI Edit.

I highly recommend using ADSI Edit instead of PowerShell.

Written by ruycr4ft

PreviousACLs and DACLsNextGenericWrite

Last updated