Test-IsADUserPasswordCompromised : Access is denied
anon474 opened this issue · 6 comments
Running powershell as admin while logged in as a domain admin on domain control Server 2012R2. I get the following error.
Test-IsADUserPasswordCompromised : Access is denied
At line:1 char:1
- Test-IsADUserPasswordCompromised -Upn XXXXX@XXXX.com
-
+ CategoryInfo : NotSpecified: (:) [Test-IsADUserPasswordCompromised], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Lithnet.ActiveDirectory.PasswordProtection.PowerShell
running the TestIsADUserPasswordCompromised.ps1 script I receive the follow error as well.
PS C:\password-protection> .\TestIsADUserPasswordCompromised.ps1
WARNING: User Guest has a null UPN
WARNING: User Administrator has a null UPN
WARNING: User krbtgt has a null UPN
WARNING: User IUSR_W2K8AB1 has a null UPN
Test-IsADUserPasswordCompromised : CRC check failed.
At C:\password-protection\TestIsADUserPasswordCompromised.ps1:31 char:15
- ... $result = Test-IsADUserPasswordCompromised -UPN $user -server local ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : NotSpecified: (:) [Test-IsADUserPasswordCompromised], FormatException
- FullyQualifiedErrorId : System.FormatException,Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUse
rPasswordCompromised
Tested removing domain admin out of protected User group, rebooted DC, verified that
NET Framework 4.6, PowerShell 5 ,Microsoft Visual C++ Runtime 14 (2017) or new are installed.
Can you type the following after the first error you showed
$error[0].Exception.ToString()
and paste the results here.
Check to see that you have "Replicate directory changes all" permission on the top level domain object in AD users and computers. Admins have this by default, but it may have been changed.
PS C:\password-protection> $error[0].Exception.ToString()
System.UnauthorizedAccessException: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
at DSInternals.Common.Validator.AssertSuccess(Win32ErrorCode code)
at DSInternals.Replication.Interop.DrsConnection.Bind(IntPtr rpcHandle)
at DSInternals.Replication.Interop.DrsConnection..ctor(IntPtr rpcHandle, Guid clientDsa)
at DSInternals.Replication.DirectoryReplicationClient..ctor(String server, RpcProtocol protocol, NetworkCredential cr
edential)
at Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUserPasswordCompromised.BeginProcessing() in D:\dev
git\lithnet\ad-password-protection\src\PasswordProtectionPS\TestIsADUserPasswordCompromised.cs:line 40
at System.Management.Automation.Cmdlet.DoBeginProcessing()
at System.Management.Automation.CommandProcessorBase.DoBegin()
I double verified that "Replicate directory changes all" permission are set to Allow for Domain Admins.
This is a strange one. Your account is being denied permission to connect to the replication service via RPC. Are you using any RPC blockers/firewalls? There has to be something non-standard in play if you are running this as a DA, on a DC, and have the replicate directory changes all right.
There are no RPC blockers/firewalls that I can find. The windows firewall is not even enabled on the DC. I ran the RPC test script here https://devblogs.microsoft.com/scripting/testing-rpc-ports-with-powershell-and-yes-its-as-much-fun-as-it-sounds/ and the ports it test show they are reachable.
Hi @anon474
I'm not really sure what could be blocking your access here. There is definitely something interfering and denying the connection to the replication endpoint. The code is getting an 'access denied' error when trying to bind to the RPC endpoint. Possibly anti-malware software interfering?
The only things technically needed for this to work are DA rights (or replicate directory changes all), and running on a DC. something else unique to your environment is in play, but unfortunately, I can't guess as to what it is.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.