Add AddAllowedToAct logic based on User Account Restrictions property set

[dirkjanm]

This property set contains the msDS-AllowedToActOnBehalfOfOtherIdentity property so if you have write privs on this set you can configure RBCD.

Will add a link to a blog soon with more context.

[dirkjanm]

Blog with context: https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/

[rvazarkar]

So after discussing this internally, this is some really cool stuff, but we'd like to extract this into a new edge. This is mainly because its hard to remediate without additional details that are related to what's actually happening on the backend. Feel free to propose a new edge name, but we love the work.

Microsoft docs being wrong again is always fun

[rvazarkar]

Thanks!

[ddlees]

recheck

[github-actions[bot]]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request}

[ddlees]

@dirkjanm In an attempt to accept contributions the "right" way and be the best stewards we can be to the FOSS community we have recently published a Contributor License Agreement. Would you please consider reading and signing the CLA linked in the comment above? Thank you!