Manage Active Directory objects with ADSI


Back in the days, when I was still a Windows & AD Admin. I decided to make a document on using the ADSI accelerator to manage objects in Active Directory. There is a funny story behind it, because it was never been my intention to dive deep into this topic, but something triggered me to learn more about it.

I’ve saw during my sysadmins years a lot of AD Admins with (unnecessary) Domain Admin privileges. The majority of them only had DA, so they could access a Domain Controller and open the Active Directory Users & Computers GUI to perform their day-to-day tasks.

Yes, you might be shocked, right now. However, I can guarantee that this is still one of the reasons today, why companies are having unnecessary Domain Admins. I also can confirm that there are ”seasoned” admins who weren’t aware that you can install the RSAT toolkit locally on your machine as well.

Since I fully understood the security risks behind having too much DA’s. I wanted to come up with an approach for myself on how I could still do my work, which was managing AD. While not necessary having Domain Admin, because to be fair. I didn’t even needed it, and I was just following the procedure on how it has been taught me. Which was using the GUI, etc. I would lie, when I say that I don’t use it anymore, but it’s now command-line first for me. I’m also not doing much related to AD anymore, so that’s a plus for me.

After googling around. I’ve learned more about the ADSI accelerator, and I felt in love with it. Because the accelerator is available on every domain-joined machine, which means that I could manage AD on every domain computer without installing additional tools, like the Remote Server Administration Tools for example.

What is ADSI?

Active Directory Service Interface (ADSI) is a utility that allows IT Admins manage and view objects and attributes in Active Directory. It enables Admins to perform day-to-day tasks, such as adding new users, creating new groups, changing LDAP attributes on objects, and so on.

There is a GUI version of it that is part of the RSAT toolkit, which is not available on every domain-joined machine. Because you have install the toolkit to get it. However, the accelerator is accessible for every authenticated user, but it can only be managed from the command-line.

Here is an example of running a LDAP query to obtain all the servers that are configured for Unconstrained Delegation, while excluding DC’s.

What will you learn in this PDF?

This PDF covers the basic steps from creating a LDAP query to enumerate information in AD to obtain subnets, DNS records, LAPS password, etc. Besides of that, you will also learn how to perform common administration tasks, such as creating a new user, resetting passwords, adding user to a new group, taking ownership on an AD object, adding a new ACE to an object, and more. Everything done from the command-line!

Every example is very straight forwarded and it goes into the details. That’s been said. I would say that this PDF is targeted for not just IT pro’s, but also security professionals.

Red Teamers who have been doing engagements for a while, can tell from their own experience, that they likely will encounter AD most of the time. Understanding how to use the capabilities of ADSI to perform enumeration on a target can be useful. I’ve added a section, where I cover different examples on enumeration.

The PDF can be download here:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: