After I uncovered how easy it is to gain access to a password by moving machines around a domain, I began to think, “What ACLs do you need to access the password?” Using a BadBlood domain I put this question to the test.
This post is quick and dirty.
(For LAPS)Read permission is not enough. AD honors the read request for confidential attribute value when at least one of the following is true:
Caller is granted ‘Full Control’ permission
Caller is granted ‘All Extended Rights’ permission
Caller is granted ‘Control Access’ on the attribute permission (this is what LAPS PowerShell uses to grant the permission)
What did I miss? Are there other ACLs that need to be added to this test?
Let me know and I’ll update my test. If LAPS is enabled in your AD environment, make sure you know who can gain administrator privileges to the computer!