Comments (21)
If you look at the first error message in your output, it would appear as though you do not have RSAT tools installed.
It also looks like you're running this from a non-server os since you're also getting this error message
Locksmith currently only supports installing RSAT AD PowerShell cmdlets via the server Install-WindowsFeature
cmdlet. For Windows10 if you wanted to install ALL RSAT features, you could use this command:
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Or if you just want the ActiveDirectory PowerShell cmdlets, this should work:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
After you've installed the appropriate PowerShell cmdlets, be sure to use the testing branch and try to run Locksmith again. Please let us know if that resolves your issue.
from locksmith.
I am testing it on my local system account, Am I not supposed to?
Running Locksmith as a local account will not work in a properly configured Active Directory. Part of hardening AD is removing anonymous access to the directory. In very old AD environments that needed compatibility with NT4 domains, it may work correctly with a local account, but that's certainly not an expected use case.
Instead, Locksmith should be run in the context of a standard domain user. It's only been tested on domain-joined Windows machines, but I believe it should be able to work on a standalone computer if you use the -Credential switch.
from locksmith.
Hello @rafalfitt ! Can you provide the full command you used when generating this issue?
from locksmith.
Hello @TrimarcJake
. "C:\Users\Administrator.xxx\Desktop\Invoke-Locksmith.ps1" -Mode 1
this error (and #10 ) is reported when using RDP connection with "Restricted Admin" mode enabled.
from locksmith.
Same.
You cannot call a method on a null-valued expression.
At ----------------\Invoke-Locksmith.ps1:363 char
-
$Issue | Add-Member -MemberType NoteProperty -Name Forest
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidOperation: (:) [], RuntimeException
- FullyQualifiedErrorId : InvokeMethodOnNull
PowerShell 7 is a bit more verbose
Success Restart Needed Exit Code Feature Result
True No NoChangeNeeded {}
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
InvalidOperation: ------- \Invoke-Locksmith.ps1:363
Line |
363 | $Issue | Add-Member -MemberType NoteProperty -Name Forest .
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
from locksmith.
@appelboom are you using Restricted admin mode also?
from locksmith.
Restricted admin mode
Yes, Enabled. If I set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin=1 it runs fine
from locksmith.
This is in our next sprint!
from locksmith.
The solution we are considering for this issue is to prompt for credentials at the beginning of the script... but that sort of ruins the point of using Restricted Admin mode. However, we'd be willing to institute this change with a very strongly worded warning + confirmation required.
Would you consider this issue resolved with this solution?
from locksmith.
from locksmith.
Yes, warning is OK + IMHO it is enough in such situation.
from locksmith.
from locksmith.
Yep, same issue. Restricted admin mode doesn't allow credentials to be passed, so those AD cmdlets fail. #16 should fix this
from locksmith.
@0x11DFE @rafalfitt @appelboom
The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?
from locksmith.
@0x11DFE @rafalfitt @appelboom
The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?
I just tried and I am having the same exact issue.
from locksmith.
@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the -Credential
argument with domain\username
as a value.
from locksmith.
@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.
from locksmith.
@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.
I am.
@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the
-Credential
argument withdomain\username
as a value.
I don't have any passwords on this computer.
PS C:\Users\***\Desktop> .\Invoke-Locksmith.ps1
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:75 char:22
+ $DNSRoot = [string]((Get-ADForest).RootDomain | Get-ADDomain).DNSRoot
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:76 char:35
+ $EnterpriseAdminsSID = ([string]((Get-ADForest).RootDomain | Get-ADDo ...
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
New-Object : A constructor was not found. Cannot find an appropriate constructor for type
System.Security.Principal.SecurityIdentifier.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:77 char:19
+ ... rredOwner = New-Object System.Security.Principal.SecurityIdentifier($ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:114 char:25
+ $Targets = (Get-ADForest).Name
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Install-WindowsFeature : The term 'Install-WindowsFeature' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:632 char:5
+ Install-WindowsFeature -Name RSAT-AD-PowerShell
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Install-WindowsFeature:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Gathering AD CS Objects from ...
Get-ADCSObject : Cannot bind argument to parameter 'Targets' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:646 char:44
+ $ADCSObjects = Get-ADCSObject -Targets $Targets
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADCSObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-ADCSObject
Set-AdditionalCAProperty : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:647 char:43
+ Set-AdditionalCAProperty -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-AdditionalCAProperty], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Set-AdditionalCAProperty
Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:648 char:51
+ $ADCSObjects += Get-CAHostObject -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject
Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:649 char:46
+ $CAHosts = Get-CAHostObject -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject
The property 'Name' cannot be found on this object. Verify that the property exists.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:650 char:33
+ $CAHosts | ForEach-Object { $SafeUsers += '|' + $_.Name }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Identifying auditing issues...
Find-AuditingIssue : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:656 char:58
+ [array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-AuditingIssue], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-AuditingIssue
Identifying AD CS templates with dangerous configurations...
Find-ESC1 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:661 char:39
+ [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC1], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC1
Find-ESC2 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:662 char:39
+ [array]$ESC2 = Find-ESC2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC2], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC2
Identifying AD CS template and other objects with poor access control...
Find-ESC4 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:667 char:39
+ [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC4], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC4
Find-ESC5 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:668 char:39
+ [array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC5], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC5
Find-ESC6 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:669 char:39
+ [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC6], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC6
from locksmith.
Didn't do it
from locksmith.
Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like: Get-ADForest
and certutil.exe -ping <ADCS server>
.
from locksmith.
Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like:
Get-ADForest
andcertutil.exe -ping <ADCS server>
.
I am testing it on my local system account, Am I not supposed to?
from locksmith.
Related Issues (20)
- When There Are No Auditing, ESC1, ESC2, or ESC6 issues, Locksmith Dies When Creating Revert Script HOT 2
- False Positives in ESC4 from Incomplete Filtering HOT 1
- Objects with both Allow and Deny ACEs reports two issues in output
- Mode 4 doesn't have an option to skip one fix and continue HOT 8
- AD Connect service account read access listed as ESC5 vulnerability HOT 3
- We're checking for Restricted Admin Mode twice
- Check Published Status for ESC1-5.
- Convert Manager Approval check to use bitwise math. HOT 1
- Duplicates in ESC4/5 Ownership Issues
- Add ESC4/5 Ownership Remediations to Mode 4. HOT 1
- Improve RSAT Installation Process HOT 2
- Remove Add-Member cmdlet from as many places as possible. HOT 2
- Improve Contrast Between Colored Text and Background HOT 3
- Update all functions to include comment-based help. HOT 1
- Establish Methodology for Criticality of Issues HOT 1
- msPKI-Certificate-Name-Flag check in ESC1-3 could result in false negatives
- Improve ESC4/5 checks with Effective Access instead of dumb checks
- ESC8 Identification is Incomplete HOT 7
- Improve ESC4 remediations to re-add Enroll/AutoEnroll ExtendedRight
- Private/Test-IsADAdmin.ps1 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from locksmith.