tbiro.com

Forums 
   HackPerfCounter
   RADPass
   SHEdit
   Toys
 
   Contact me
   My PGP Key
 

SHEdit


SHEdit is an offline editor for the SID History Active Directory attribute. This tool goes around the limitation built into the DsAddSidHistory API allowing an administrator in any domain to access any other domains in the forest as any user.

How to use:
- Get the SID for a user in the target domain.
- Reboot a domain controller in Directory Restore mode.
- Backup NTDS.DIT (optional but recommended).
- Run SHEdit.
- Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool cleaned up all these files for you.
- Perform an authoritative restore of the AD database if you have multiple domain controllers. This will replicate the change to the other controllers.
- Reboot the server. You should have the desired access on the target domain.
- Use the ClearSIDHistory.vbs script to delete the SID History attribute.

Limitations:
- only one SID History attribute is added, if you run the tool several times only the latest value will prevail.
- I noticed that in certain rare cases the ntds.dit file gets corrupted and the tool is unable to open it afterwards. Restore from your backup in this case and try again, it might work.

A note related to Windows 2000 SP4 and Windows 2003:
- SID history filtering is enabled on by default for external trusts. - SID history filtering is NOT enabled by default for domains in the same forest

Related links:
Microsoft Security Bulletin MS02-001
Protecting Active Directory from Domain Trust Vulnerability
Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks
Design Considerations for Delegation of Administration in Active Directory

Download SHEdit for Windows 2000.
Download SHEdit for Windows 2003.

Support forum here.
Sitemap generated by Sitemap Manager