Set-AuditRule
Set-AuditRule copied to clipboard
Published
20 hours ago •
OTRF
OTRF
Audit rules with -AttributeGUID overwrite each other
Hello,
Thanks for your script which avoided me having to delve too deep in SDDL :)
When using the script to set audit rules for "Read Property" on two specific attributes of an AD object with the -AttributeGUID parameter, the script overwrite the first one with the second one instead of adding both.
Using $Acl.AddAuditRule($AuditRuleObject) instead of $Acl.SetAuditRule($AuditRuleObject) on line 272 correctly adds two rules, but I don't know the impact on other use cases.
Example:
I want to add an audit rule on attributes member and memberOf of AdminSDHolder (which is not possible via GUI because AdminSDHolder is of type container and this type does not have these attributes). These rules will be propagated by SDProp to e.g. Domain Admins (group) or Administrator (user).
> $AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf967991-0de6-11d0-a285-00aa003049e2 # memberOf
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf9679c0-0de6-11d0-a285-00aa003049e2 # member
# At this stage, I would expect to have a rule for bf967991-0de6-11d0-a285-00aa003049e2 and one for bf9679c0-0de6-11d0-a285-00aa003049e2
# but only the rule for bf9679c0-0de6-11d0-a285-00aa003049e2 exists
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
Instead, when adding the rules with $Acl.AddAuditRule($AuditRuleObject) :
$AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
$Acl = Get-Acl "ad:\$AdminSDHolder" -Audit
$IdentityReference = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]"NetworkSid", $null)
$Rights = "ReadProperty"
$AuditFlags = "Success","Failure"
$InheritanceFlags = "None"
$AttributeGUID = "bf9679c0-0de6-11d0-a285-00aa003049e2" # member
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)
$AttributeGUID = "bf967991-0de6-11d0-a285-00aa003049e2" # memberOf
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)
Set-Acl "ad:\$AdminSDHolder" $Acl
# Now both rules exist:
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
``
