Last active
January 18, 2025 03:39
-
-
Save IISResetMe/399a75cfccabc1a17d0cc3b5ae29f3aa to your computer and use it in GitHub Desktop.
Revisions
-
IISResetMe revised this gist
Aug 3, 2021 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,6 +7,7 @@ if(-not $Force){ Write-Warning "DO NOT run this if you have an active Exchange organization in the current forest" Write-Warning "Instead, apply the latest Exchange Server CU from Microsoft" Write-Warning "If you've already removed all Exchange Server installations from the forest, go ahead and run this script with '-Force'" return } # Discover schema NC -
Aug 3, 2021 . 1 changed file with 12 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,14 @@ param( [switch]$Force ) if(-not $Force){ Write-Warning "This will cripple Exchange-related schema entries" Write-Warning "DO NOT run this if you have an active Exchange organization in the current forest" Write-Warning "Instead, apply the latest Exchange Server CU from Microsoft" Write-Warning "If you've already removed all Exchange Server installations from the forest, go ahead and run this script with '-Force'" } # Discover schema NC $rootDSE = Get-ADRootDSE $schemaNC = $rootDSE.schemaNamingContext @@ -15,7 +26,7 @@ $schemaRefresh = { } # Fetch msExchStorageGroup schema object $schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))' -SearchBase $schemaNC # Update schema object Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster -
Jul 30, 2021 . 1 changed file with 24 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ # Discover schema NC $rootDSE = Get-ADRootDSE $schemaNC = $rootDSE.schemaNamingContext # Discover schema master $schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner | Get-ADDomainController -Identity { $_.fSMORoleOwner } # Re-bind against RootDSE on schema master $rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE") # Prepare to refresh the schema!!! $schemaRefresh = { $rootDSE.Put("schemaUpdateNow", 1) $rootDSE.SetInfo() } # Fetch msExchStorageGroup schema object $schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))' # Update schema object Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster # Refresh schema & $schemaRefresh -
Jul 30, 2021 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Jul 30, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ # Dictionary to hold superclass names $superClass = @{} # List to hold class names that inherit from container and are allowed to live under computer object $vulnerableSchemas = [System.Collections.Generic.List[string]]::new() # Resolve schema naming context $schemaNC = (Get-ADRootDSE).schemaNamingContext # Enumerate all class schemas $classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors # Enumerate all class schemas that computer is allowed to contain $computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer' # Populate superclass table $classSchemas |ForEach-Object { $superClass[$_.lDAPDisplayName] = $_.subClassOf } # Resolve class inheritance for computer inferiors $computerInferiors |ForEach-Object { $class = $cursor = $_.lDAPDisplayName while($superClass[$cursor] -notin 'top'){ if($superClass[$cursor] -eq 'container'){ $vulnerableSchemas.Add($class) break } $cursor = $superClass[$cursor] } } # Outpupt list of vulnerable class schemas $vulnerableSchemas