Enumerate following for the us.techcorp.local domain:
- ACL for the Domain Admins group
- All modify rights/permissions for the studentuserx
Use PowerView:
Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local" -ResolveGUIDs -Verbose
There are 2 things to check:
- ACL for studentuserx
- ACL for the group of studentuserx
ACL for studentuserx:
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentuser64"}
To get the group of studentuserx:
Get-DomainGroup -UserName studentuser64 | select cn
- MaintenanceUsers
- StudentUsers
- Domain Users
- Managers
Take StudentUsers as an example. Enumerate the interesting ACLs:
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}