Friday, August 11, 2017

Create AD groups programmatically via DirectoryServices without domain admin rights using OU control delegation

In .Net when we need to work with AD we in most cases will use System.DirectoryServices assembly. In order to perform various actions against AD our code should run under account of user which has necessary permissions. Other option is to use security binding – DirectoryEntry constructor which receives username and password as parameter. In this case specified user also should have necessary permissions. The question is which exact permissions are needed e.g. for creating AD groups. Of course if we use account of domain admin it will be enough – users of this group may perform almost all actions over their AD. But it would also open more vulnerabilities as application may harm whole AD if malicious users will hack it.

In Microsoft AD there is another feature called control delegation (Delegate Control) which allows you to worj with AD without having domain admin rights. The idea is that you delegate control over specific AD object (e.g. over Organizational Unit – OU) to the user or group and this user/group will be able to make changes only within this AD object. Let’s see the following test example.

1. At first for clarity we will create new AD account which is not member of any AD group except built-in Domain Users group:

2. After that create Test OU in AD where we will create AD groups:

3. Now let’s try to run the following code which uses DirectoryEntry with security binding with created account for creating new AD group. Current timestamp is used in the group name:

   1: DirectoryEntry dom = new DirectoryEntry("LDAP://SP.DEV",
   2:     "sp\\testuser1", "...", AuthenticationTypes.Secure);
   3:  
   4: DirectoryEntry ou = dom.Children.Find("OU=Test");
   5:  
   6: string name = "test_" + DateTime.Now.ToString("yyyyMMddHHmmss");
   7: DirectoryEntry group = ou.Children.Add("CN=" + name, "group");
   8:  
   9: group.Properties["samAccountName"].Value = name;
  10:  
  11: group.CommitChanges();

The result will be System.UnauthorizedAccessException:

Unhandled Exception: System.UnauthorizedAccessException: Access is denied.

   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
   at System.DirectoryServices.DirectoryEntry.CommitChanges()
   …

4. Now let’s return to AD, right click on OU and select Delegate Control menu item. In the opened wizard we choose our account and “Create, delete and manage groups” tasks:

5. After that if we will run our code it will successfully create new AD group:

As you can see using control delegation we were able to create AD groups without having domain admin rights. Here is the list of all actions for which you can delegate control in AD:

  • Create, delete and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Create, delete and manage groups
  • Modify the membership of a group
  • Manage group policy links
  • Generate resultant set of policy (planning)
  • Generate resultant set of policy (logging)
  • Create, delete and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and force password change at next logon
  • Read all inetOrgPerson information

This is quite powerful feature which you may use for making you code more secure.

No comments:

Post a Comment