-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposed New Edge: SyncLAPSPassword #555
Comments
Hey @simondotsh , Thanks for the issue, we're going to discuss this internally and get back to you |
Hey @simondotsh , we've decided to accept this feature. Let me know if you want to contribute the code, otherwise we'll try and roll this into our 4.2 changeset and credit you with the request |
Hi @rvazarkar, I'll give it a go and report back when I created the pull requests. |
Hello @rvazarkar, See the pull requests above for the contribution of this edge. |
This is a phenomenal PR. Thanks for the work. We're most likely going to accept it as is and make a few changes on our end to better fit some stuff we're doing for the 4.2 release. |
All the necessary changes have been merged into the respective 4.2 branches of the project. I'll close this when we've fully merged |
Context
The combination of
DS-Replication-Get-Changes
andDS-Replication-Get-Changes-In-Filtered-Set
at the root of a domain renders it possible for a principal to perform a directory synchronization (DirSync), and retrieve confidential and RODC filtered attributes, such as LAPS'ms-Mcs-AdmPwd
. See technical details here.Proposed New Edge
Name: SyncLAPSPassword.
Conditions: A principal has both
DS-Replication-Get-Changes
andDS-Replication-Get-Changes-In-Filtered-Set
at the root of a domain.Linked To: All LAPS-enabled computers.
While this does not follow the current way edges for
DCSync
are drawn, it avoids returning a path when a principal only has one of the two privileges; however, it could lead to missing this edge when a principal can, for instance, add themselves to a group that has the second needed privileges. Despite this, I still believe this is the more desirable way to implement it.Contributing
If this edge is wanted, and the proposed way to implement it suits you, I can contribute the required changes, but will be waiting for the green light before doing so.
The text was updated successfully, but these errors were encountered: