GenericWrite

GenericWrite consists on being able to write all properties for a user/group/whatever. It's not the same as GenericAll since with that privilege you can alter the target's password — but here you can edit the msDS-KeyCredentialLink attribute, generating a new public/private key pair. Then you craft a KeyCredential blob containing the public key and the identifying metadata, to then write this blob to the target user's msDS-KeyCredentialLink attribute. You then use the private key to request a TGT for the user via PKINIT.

ADSI Edit

Same as we did previously — open ADSI Edit and locate the target user (in this case i.wright). Right click it, go to the security tab and click on advanced. Add and identity, we will use Infrastructure Managers as well in this case. Check the "Write all properties" box.

PowerShell

If you're using the server core edition, you can also use the following script.

$MyAdmin = (get-adgroup "Infrastructure Managers").sid
$MyUser = (get-aduser i.wright)
$MyDistinguishedName = ($Myuser).distinguishedname
$MyDistinguishedNameAD = $MyDistinguishedName = "AD:$MyUser"
$MyACL= Get-ACL $MyDistinguishedNameAD
$MyADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite" # change to the preferred ACE
$MyType = [System.Security.AccessControl.AccessControlType] "Allow"
$MyInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$MyACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $MyAdmin,$MyADRights,$MyType,$MyInheritanceType
$MyACL.AddAccessRule($MyACE)
Set-acl -aclobject $MyACL $MyDistinguishedNameAD
(Get-ACL "AD:$((Get-ADUser -Identity 'i.wright').distinguishedname)").access | Select IdentityReference, AccessControlType, ActiveDirectoryRights | Where-Object  {$_.ActiveDirectoryRights -contains "GenericWrite"}

Same reminder as before

Written by ruycr4ft