Skip to content
/ ADSIx509 Public

PS Scripts for authenticating to LDAP using x509 client certificate

License

MIT license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ville87/ADSIx509

BranchesTags

Repository files navigation

ADSIx509

Author: Ville Koch (@vegvisir87, https://github.com/ville87)
Version: v1.2 (23/10/2024)

Warning

These scripts were made for testing purposes in an Active Directory domain.
It is not advised to use this in a production environment!

ADSI_AddUser_X509.ps1

The script ADSI_AddUser_X509.ps1 uses x509 certificate based authentication against LDAP to create a user or take an existing user and if specified add it as a member to a specified group.

  • The user will be enabled after creation (userAccountControl=512).
  • The users distinguishedName will be built from the given domain name, like: CN=Username,CN=Users,DC=lab,DC=local.
  • When looking for users or group, the Base DN is currently always the container CN=Users,DC=lab,DC=local.

The certificate based authentication and LDAP_SERVER_WHO_AM_I request were taken from:
https://raw.githubusercontent.com/leechristensen/Random/master/PowerShellScripts/Get-LdapCurrentUser.ps1

TODO:

  • Figure out how System.DirectoryServices.Protocols.SearchRequest has to be set to look in any container / subcontainers / OUs, not just CN=users...
  • Add more error handling
  • Add verbose logging possibility

Examples

Create a new user and add it to the Domain Admins group:

.\ADSI_AddUser_X509.ps1 -CertPath "C:\TEMP\domadmin.pfx" -domain lab.local -DCIP 10.0.0.4 -CreateUser Y -samAccountName baduser1 -givenName Hans -sn Landa -AddToGroup Y -groupName "Domain Admins"

Take an existing user and add it to the Domain Admins group:

.\ADSI_AddUser_X509.ps1 -CertPath C:\TEMP\domadmin.pfx -domain lab.local -DCIP 10.0.0.4 -CreateUser N -samAccountName someuser1 -AddToGroup Y -groupName "Domain Admins"

Only create a new user:

.\ADSI_AddUser_X509.ps1 -CertPath C:\TEMP\domadmin.pfx -domain lab.local -DCIP 10.0.0.4 -CreateUser Y -samAccountName anotheruser1 -givenName Mister -sn Blonde -AddToGroup N

ADSI_ReadLDAP_X509.ps1

The script uses x509 certificate based authentication against LDAP to read LDAP properties. Note: Some properties are not returned in human readable format. This is still work in progress...

Examples

List properties of enabled computers in specific OU:

.\ADSI_ReadLDAP_X509.ps1 -CertPath "C:\Users\jdoe\Desktop\rplant.pfx" -domain lab.local -DCIP 10.0.0.4 -LDAPFilter "(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))((ms-mcs-admpwdexpirationtime=*)))" -DistinguishedName "OU=Workstations,DC=lab,DC=local"

ADSI_GetCARootCert_X509.ps1

This script gets the LDAP property "caCertificate" from a target domain controller and exports it as a x509 certificate

Examples

Get the Root CA certificate via LDAP and export it as a cer file:

.\ADSI_GetCARootCert_X509.ps1 -domain lab.local -dc dc1.lab.local -CertExportPath C:\users\jdoe\Desktop

About

PS Scripts for authenticating to LDAP using x509 client certificate

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages