Git Product home page Git Product logo

Comments (21)

techspence avatar techspence commented on May 29, 2024 1

If you look at the first error message in your output, it would appear as though you do not have RSAT tools installed.
image

It also looks like you're running this from a non-server os since you're also getting this error message
image

Locksmith currently only supports installing RSAT AD PowerShell cmdlets via the server Install-WindowsFeature cmdlet. For Windows10 if you wanted to install ALL RSAT features, you could use this command:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

Or if you just want the ActiveDirectory PowerShell cmdlets, this should work:

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

After you've installed the appropriate PowerShell cmdlets, be sure to use the testing branch and try to run Locksmith again. Please let us know if that resolves your issue.

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024 1

I am testing it on my local system account, Am I not supposed to?

Running Locksmith as a local account will not work in a properly configured Active Directory. Part of hardening AD is removing anonymous access to the directory. In very old AD environments that needed compatibility with NT4 domains, it may work correctly with a local account, but that's certainly not an expected use case.

Instead, Locksmith should be run in the context of a standard domain user. It's only been tested on domain-joined Windows machines, but I believe it should be able to work on a standalone computer if you use the -Credential switch.

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

Hello @rafalfitt ! Can you provide the full command you used when generating this issue?

from locksmith.

rafalfitt avatar rafalfitt commented on May 29, 2024

Hello @TrimarcJake

. "C:\Users\Administrator.xxx\Desktop\Invoke-Locksmith.ps1" -Mode 1

this error (and #10 ) is reported when using RDP connection with "Restricted Admin" mode enabled.

from locksmith.

appelboom avatar appelboom commented on May 29, 2024

Same.

You cannot call a method on a null-valued expression.
At ----------------\Invoke-Locksmith.ps1:363 char

  •         $Issue | Add-Member -MemberType NoteProperty -Name Forest

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

PowerShell 7 is a bit more verbose

Success Restart Needed Exit Code Feature Result

True No NoChangeNeeded {}
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
InvalidOperation: ------- \Invoke-Locksmith.ps1:363
Line |
363 | $Issue | Add-Member -MemberType NoteProperty -Name Forest .
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

@appelboom are you using Restricted admin mode also?

from locksmith.

appelboom avatar appelboom commented on May 29, 2024

Restricted admin mode

Yes, Enabled. If I set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin=1 it runs fine

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

This is in our next sprint!

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

@appelboom @rafalfitt

The solution we are considering for this issue is to prompt for credentials at the beginning of the script... but that sort of ruins the point of using Restricted Admin mode. However, we'd be willing to institute this change with a very strongly worded warning + confirmation required.

Would you consider this issue resolved with this solution?

from locksmith.

appelboom avatar appelboom commented on May 29, 2024

from locksmith.

rafalfitt avatar rafalfitt commented on May 29, 2024

Yes, warning is OK + IMHO it is enough in such situation.

from locksmith.

0x11DFE avatar 0x11DFE commented on May 29, 2024

Is this the same issue?
powershell_AVCIwhf0aW

from locksmith.

techspence avatar techspence commented on May 29, 2024

Is this the same issue? powershell_AVCIwhf0aW

Yep, same issue. Restricted admin mode doesn't allow credentials to be passed, so those AD cmdlets fail. #16 should fix this

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

@0x11DFE @rafalfitt @appelboom

The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?

from locksmith.

0x11DFE avatar 0x11DFE commented on May 29, 2024

@0x11DFE @rafalfitt @appelboom

The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?

powershell_ZfMLXqERio

I just tried and I am having the same exact issue.

from locksmith.

techspence avatar techspence commented on May 29, 2024

@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the -Credential argument with domain\username as a value.

from locksmith.

TrimarcJake avatar TrimarcJake commented on May 29, 2024

@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.

from locksmith.

0x11DFE avatar 0x11DFE commented on May 29, 2024

@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.

I am.

@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the -Credential argument with domain\username as a value.

I don't have any passwords on this computer.

PS C:\Users\***\Desktop> .\Invoke-Locksmith.ps1
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:75 char:22
+ $DNSRoot = [string]((Get-ADForest).RootDomain | Get-ADDomain).DNSRoot
+                      ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:76 char:35
+ $EnterpriseAdminsSID = ([string]((Get-ADForest).RootDomain | Get-ADDo ...
+                                   ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

New-Object : A constructor was not found. Cannot find an appropriate constructor for type
System.Security.Principal.SecurityIdentifier.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:77 char:19
+ ... rredOwner = New-Object System.Security.Principal.SecurityIdentifier($ ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand


Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:114 char:25
+             $Targets = (Get-ADForest).Name
+                         ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Install-WindowsFeature : The term 'Install-WindowsFeature' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:632 char:5
+     Install-WindowsFeature -Name RSAT-AD-PowerShell
+     ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Install-WindowsFeature:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException


Gathering AD CS Objects from ...
Get-ADCSObject : Cannot bind argument to parameter 'Targets' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:646 char:44
+     $ADCSObjects = Get-ADCSObject -Targets $Targets
+                                            ~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADCSObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-ADCSObject

Set-AdditionalCAProperty : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:647 char:43
+     Set-AdditionalCAProperty -ADCSObjects $ADCSObjects
+                                           ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-AdditionalCAProperty], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Set-AdditionalCAProperty

Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:648 char:51
+     $ADCSObjects += Get-CAHostObject -ADCSObjects $ADCSObjects
+                                                   ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject

Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:649 char:46
+     $CAHosts = Get-CAHostObject -ADCSObjects $ADCSObjects
+                                              ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject

The property 'Name' cannot be found on this object. Verify that the property exists.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:650 char:33
+     $CAHosts | ForEach-Object { $SafeUsers += '|' + $_.Name }
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict


Identifying auditing issues...
Find-AuditingIssue : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:656 char:58
+ [array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
+                                                          ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-AuditingIssue], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-AuditingIssue


Identifying AD CS templates with dangerous configurations...
Find-ESC1 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:661 char:39
+ [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+                                       ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-ESC1], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC1

Find-ESC2 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:662 char:39
+ [array]$ESC2 = Find-ESC2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+                                       ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-ESC2], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC2


Identifying AD CS template and other objects with poor access control...
Find-ESC4 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:667 char:39
+ [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+                                       ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-ESC4], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC4

Find-ESC5 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:668 char:39
+ [array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+                                       ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-ESC5], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC5

Find-ESC6 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:669 char:39
+ [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
+                                       ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Find-ESC6], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC6

from locksmith.

0x11DFE avatar 0x11DFE commented on May 29, 2024

powershell_Na0o2on4lb

Didn't do it

from locksmith.

techspence avatar techspence commented on May 29, 2024

Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like: Get-ADForest and certutil.exe -ping <ADCS server>.

from locksmith.

0x11DFE avatar 0x11DFE commented on May 29, 2024

Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like: Get-ADForest and certutil.exe -ping <ADCS server>.

I am testing it on my local system account, Am I not supposed to?

from locksmith.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.