[HELP] AdminSDHolder Protected Groups (AdminCount=1) for JIT role access? Write Members ACL permission being reset.
Closed this issue · 4 comments
AdminSDHolder Protected Groups (AdminCount=1) for JIT role access? Write Members ACL permission being reset.
When using the sample script that was provided to assist in setting the correct WriteProperty attribute in AD to allow the group managed service account that AMS runs under to add/remove users as part of JIT access, I noticed that its problematic when protected groups are being targeted for role authorization rules.
One use case is to use role JIT access for the Domain Admin group, this group has AdminCount=1 and any ACL changes on the group will be reset back to match AdminSDHolder ACLs.
My thinking here is to add the ACL on the AdminSDHolder container object type, but I don't have the option to set "Write Members" ACL, only "Write all properties" and my thinking here is this might be too permissive to apply across all AdminCount=1 objects.
Any thoughts on how to approach?
AdminSDHolder, Protected Groups and SDPROP
Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call "protected" groups). Every hour, a background process runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the size or the binary string is different, the security descriptor on the object is overwritten by the security descriptor from the AdminSDHolder object..
@c3rberus Yes you are correct. You'll need to modify the ACL template on the adminsdholder object to include the write member permission.
You may need to resort to PowerShell to specifically set that one property write permission. It doesn't look like you can do this in the UI.
Do you know if it's possible to do via PowerShell? I tried using below code to set WritePropery on AdminSDHolder, but it does not seem to work.
Import-Module ActiveDirectory
$gMSA = Get-ADServiceAccount gMSA-LithnetAMS
$ACL = get-acl -Path "AD:\CN=AdminSDHolder,CN=System,DC=xxxx,DC=xxxx,DC=com"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$gMSA.SID,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
"bf9679c0-0de6-11d0-a285-00aa003049e2",
[DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
$ACL.AddAccessRule($ACE)
$ACL | Select -ExpandProperty Access | Select IdentityReference,ActiveDirectoryRights
I believe you need to call Set-Acl after modifying the $ACL object to write the changes back to the directory.
I tried this and it did not work, what I ended up doing is giving Write all properties to the AdminSDHolder container for my privileged users.