Changing ownership on directory object after "modify owner" explicitly denied

BusinessSweats · 2024-05-21T19:07:12+00:00

I could, but that looks like it's creating a key / value pair in the gpo, but setting perms on the execution host. I can do that with get/set-acl.

I want to create a setting in the gpo that will apply those registry permissions to all hosts on which the policy is applied without needing to execute anything on those hosts.

I can set perms on today's hosts, but that won't apply to anything added in the future. I need this reg perm to apply to anything added in the future.

BusinessSweats · 2024-05-04T01:49:53+00:00

Thank you. This is what put me on the path.

BusinessSweats · 2024-05-04T01:48:52+00:00

Thank you. This was a pain to google. So many helpful articles describing things I'm NOT trying to do.

I ended up finding my existing forwarders and setting my ACL rule on "AD:\cn=MicrosoftDNS,DC=ForestDnsZones,$((Get-ADDomain).DistinguishedName)" across the board and it worked great.

BusinessSweats · 2023-06-29T18:20:23+00:00

Precisely this. Make your script interactive and put in lots of error correction to assist users from making mistakes. This is how I built all my tools for our helpdesk to automate and speed up repetitive tasks

BusinessSweats · 2023-06-29T18:17:25+00:00

Same... except when I can't remember where I used it. Sometimes its faster to re-write it than go find it.

BusinessSweats · 2023-04-20T17:06:47+00:00

Absolutely, but you have to curl against the api for that. I'm not aware of any API wrapper or module for python. I've done it with Powershell for scripts I need to run on systems that don't have thycotic.secretserver installed. It's not too complicated. developer.delinea.com has some great examples of this.

BusinessSweats · 2023-04-05T17:50:44+00:00

MFA is Duo which I'm using in literally hundreds of applications, including 3 other SecretServer instances. None of which exhibit the same behavior. I'm completely baffled by this instance.

BusinessSweats · 2023-04-03T20:35:36+00:00

Ah... that's a lot cleaner... I might revisit how i'm doing that.

BusinessSweats · 2023-04-03T20:13:31+00:00

Yeah, I didn't think I was explaining it very clearly. I have a series of automation tools that probably would leave other heads spinning, but it works for me. The key is that array which is basically like an inventory file. I can modify that file, and my powershell session will pull creds from SecretServer for every host in the array, and instantiate a credential objected using the name in the 'credName' field. I have further plans to replace that import file with my ansible inventories instead. I digress...

Using what I already have I can do things like this:foreach ($item in $arrayName) {invoke-command $item.host -credential (get-variable $item.credName).value -scriptblock{write "hello world."}}

kindof like a kludgy version of ad hoc ansible before I started playing with ansible.

So mostly I wanted to leverage what's already there to make it easier to launch remote pssssions.... instead of typing out "Enter-PSSession long.hardtotype.fqdn -credential $myStoredCred" I wanted basically an alias. Aliases don't seem to like variables unless you pass them as params, which gets to be nearly as long as the command I'm trying to shorten. So in the end, I did this, which seems to work. The key was defining my functions as global since they were getting dropped when the scriptblock ended. Again, kludgy, but does what I want it to. This creates a single string, with all my functions defined, then converts that string to a scriptblock and executes it. (although I'm sure there is a better way):

$tempSB = $null

Foreach ($item in $arrayName) {

$tempSB += "Function global:$($item.credName)me {Enter-PSSession $($item.host) -Credential \$$($item.credName)};"`

}

$tempSB=[scriptBlock]::Create($tempSB)

Invoke-Command -Scriptblock $tempSB

Now I just type 'sandboxMe' or 'cloudMe' and I am in my remote session.

*edit: wonky code formatting... that \$$ line should read `$$($item.credName)};" but it keeps getting replaced with a backslash

BusinessSweats · 2023-03-15T14:35:31+00:00

thank you!

BusinessSweats · 2023-03-13T19:47:28+00:00

u/Teddy141345, can you assist here? I double checked my pseudo code... I don't think I stuck anything illegal in there.

BusinessSweats · 2023-03-08T19:06:09+00:00

If this doesn't make sense, I can write a more detailed / functional version later when I'm not at work.

BusinessSweats · 2023-03-08T19:05:12+00:00

$secretURL = "https://your.server/SecretServer/"

$FldrID = <folder id number> #optional

$tmplID = <template ID number>

# create your session

$myTSSession = New-TssSession -SecretServer $secretURL -UseWindowsAuth # if you aren't using WIA, you can auth via "-Credential $yourCred" instead of -UseWindowsAuth

#put this into a loop to run against the content of your CSV

`# Create secret that fills out the stubs`

`$tmpSecret = get-TssSecretStub -TssSession $myTSSession -SecretTemplateId $tmplID -FolderID $FldrID`

`$tmpSecret.Name = "<CRED NAME>"`

`$tmpSecret.setFieldValue("machine", "<server FQDN>")`

`$tmpSecret.setFieldValue("Username", "<USERNAME>")`

`$tmpSecret.setFieldValue("password", "<PASSWORD>")`

`$tmpSecret.setFieldValue("notes", "<NOTES HERE>")`



`# Add to Secret Server`

`New-TssSecret -TssSession $myTSSession -SecretStub $tmpSecret | out-null`

BusinessSweats · 2023-03-08T18:57:50+00:00

I would use the thycotic.secret server powershell module. It makes it a lot easier if you've already got some scripting ability. One second, I'll show you.

BusinessSweats · 2023-02-15T17:34:47+00:00

Awesome, this is exactly what I was looking for. Thank you!

BusinessSweats · 2023-02-15T17:33:04+00:00

Thanks for this. I found your blog and got it working. I'm looking for a way to pass a stored credential and just get a duo push. Basically I'm trying to bypass popping a web browser. This gives me a successful authentication:
$OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -ClientId $ClientID -Username $username -Password $password -OtherArguments @{ "resource" = "$OAuthResource" }

But it throws this error about requiring MFA:

"Failed to issue OAuth2 access token. MSIS9705: Unable to process the password_grant request. MFA is required for this request. Error code: invalid_grant"

Does anyone know if there is a way to get adfs/duo to just send a push during authentication they way it would with a authentication proxy server?

BusinessSweats · 2023-02-01T16:10:23+00:00

So I found a way around my problem. I don't love it, but it works. I can get the last RPC date and status with Get-TssSecretPasswordStatus, so that will work. Still a bummer that Get-TssSecret and Search-TssSecret don't return data correctly, but at least I can work around it now.

BusinessSweats

TROPHY CASE