Thursday, 19 September 2013

Hacking Active Directory

So here's the deal. I've been given the task of automating creating objects in active directory from outside the domain.

Being someone with a programming background I thought perhaps power-shell was the way to go. As it turns out, the ActiveDirectory powershell module is included when you made a Windows 2008 server into a domain controller by adding the feature 'Domain Services'.

Ok, so thats ok if you are running a script on the machine itself but that doesn't solve the problem of running from another machine.

Further research discovered Active Directory Web Services (ADWS) which export that powershell functionality over the network. These web services, whilst adhering to normal web services standards, are not meant to be consumed by a web application using WSDLs but by the ActiveDirectory powershell module.

This web service is installed by default in the same way the power shell module is and it listens on the port 9389. This gave me a nice simple test to see if it was running on a given domain controller.

A simple command you can run with the powershell command-lets is:

PS > Get-ADOrganizationalUnit -filter 'name -like "*"'

If you do not specify anything else, it will try to communicate with the ADWS running on the same domain as the machine that is executing the powershell. For a lot of use cases this is what you want and is quite the expected behaviour.

For me, I wanted to run this from a more distant machine. You can specify which machine to query using the server parameter. At this point you will also have to supply credentials for this new domain using the -credentials parameter.

How to create credentials for non-interactive scripts can be found here.

PS > Get-ADOrganizationalUnit -filter 'name -like "*"' -Credential $mycreds -server <servername>

Using this simple set of tools I can now manipulate active directory from outside the domain (given suitable credentials) and automate regular tasks like adding or deleting users or OU.

Hopefully this has been helpful to some.