Feature Request: "Are you sure, Sir?"
Opened this issue · 2 comments
So, pretty sad story here.
I wanted to add more than just 'reset password' rights to an AD account, so I just smashed 'All' in. I was going for something like:
Add-ObjectAcl -PrincipalSamAccountName rasta -TargetSamAccountName user -Rights All
But I somehow managed to miss out the TargetSamAccountName and ended up running:
Add-ObjectAcl -PrincipalSamAccountName rasta -Rights All
This proceeded to give the rasta account full control over every AD object that it could, which was a lot...
I'm not usually one for handholding; but perhaps it would be safe to put a check in place so that the user gets just a small nudge if they haven't specified a target, especially when applying full control?
It's a very valid point/request. Any function that modifies something, instead of just querying for information, should support a -Force flag like this example in Invoke-Shellcode - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1#L32-L34 . That's on me for overlooking what should have been implemented as standard behavior.
I'll start looking into adding this same behavior into various PowerView functions.
Cheers Will