Skip to content

Instantly share code, notes, and snippets.

@05t3
Last active January 5, 2022 09:59
Show Gist options
  • Save 05t3/4f024c27b3b04742c4cd4d72dde8d462 to your computer and use it in GitHub Desktop.
Save 05t3/4f024c27b3b04742c4cd4d72dde8d462 to your computer and use it in GitHub Desktop.
Dear Sir, would you mind helping troubleshooting what might be going wrong when i setup the AD environment. I am currently setting up a lab for your course Movement, privoting & persistence on Udemy.

image

PS C:\Users\Administrator\Desktop\ADGenerator-main> dir


    Directory: C:\Users\Administrator\Desktop\ADGenerator-main


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/5/2022  12:17 AM                images
-a----         1/5/2022  12:17 AM          18405 ADGenerator.ps1
-a----         1/5/2022  12:17 AM           2034 coursewordlist
-a----         1/5/2022  12:17 AM           1912 Invoke-ForestDeploy.ps1
-a----         1/5/2022  12:17 AM            951 nameGen.ps1
-a----         1/5/2022  12:17 AM           1902 README.md


PS C:\Users\Administrator\Desktop\ADGenerator-main> Set-ExecutionPolicy Unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
PS C:\Users\Administrator\Desktop\ADGenerator-main> . .\ADGenerator.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
PS C:\Users\Administrator\Desktop\ADGenerator-main> Invoke-ADGenerator -DomainName theoffice.local

            ___    ____     ______                           __
           /   |  / __ \   / ____/__  ____  ___  _________ _/ /_____  _____
          / /| | / / / /  / / __/ _ \/ __ \/ _ \/ ___/ __ `/ __/ __ \/ ___/
         / ___ |/ /_/ /  / /_/ /  __/ / / /  __/ /  / /_/ / /_/ /_/ / /
        /_/  |_/_____/   \____/\___/_/ /_/\___/_/   \__,_/\__/\____/_/

        Vulnerable Active Directory Domain Generator by The Mayor

        [*] Promoting Administrator to appropriate Domain Administrative roles required for the course. [*]
        [+] Promoting Administrator to Enterprise Administrator.
User Administrator is already a member of group Enterprise Admins.

More help is available by typing NET HELPMSG 3754.

        [+] Promoting Administrator to Domain Administrator.
User Administrator is already a member of group Domain Admins.

More help is available by typing NET HELPMSG 3754.

        [+] Promoting Administrator to Group Policy Creator Owners.
User Administrator is already a member of group Group Policy Creator Owners.

More help is available by typing NET HELPMSG 3754.

        [+] Promoting Administrator to Local Administrator (error output may occur - this is expected).
System error 1378 has occurred.

The specified account name is already a member of the group.

        [*] Administrative privilege delegation completed. [*]
        [*] Renaming the domain controller to DC01 [*]
WARNING: The changes will take effect after you restart the computer WIN-SOKFK09IVBB.


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/5/2022   1:34 AM                Shared

AvailabilityType      : NonClustered
CachingMode           : Manual
CATimeout             : 0
ConcurrentUserLimit   : 0
ContinuouslyAvailable : False
CurrentUsers          : 0
Description           :
EncryptData           : False
FolderEnumerationMode : Unrestricted
IdentityRemoting      : False
Infrastructure        : False
LeasingMode           : Full
Name                  : Shared
Path                  : C:\Shared
Scoped                : False
ScopeName             : *
SecurityDescriptor    : O:SYG:SYD:(A;;0x1200a9;;;BU)
ShadowCopy            : False
ShareState            : Online
ShareType             : FileSystemDirectory
SmbInstance           : Default
Special               : False
Temporary             : False
Volume                : \\?\Volume{8bba7c49-0000-0000-0000-602200000000}\
PSComputerName        :
PresetPathAcl         : System.Security.AccessControl.DirectorySecurity
PresetPathAcl         : System.Security.AccessControl.DirectorySecurity

        [*] Domain controller renamed. [*]
        [*] Creating Domain Groups [*]
        [+] Adding Senior Management to theoffice.local
        [+] Adding IT Admins to theoffice.local
        [+] Adding Engineering to theoffice.local
        [+] Adding Sales to theoffice.local
        [*] Generating Organizational Units for the theoffice.local. [*]
        [+] Organizational Units added.
        [*] Group creation completed. [*]
        [*] Creating Domain Users [*]
New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:86 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Aaron Adams,...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] a.adams added
        [+] Adding a.adams to Senior Management Group
Add-ADGroupMember : Cannot find an object with identity: 'a.adams' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:89 char:1
+ Add-ADGroupMember -Identity $Global:Senior -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (a.adams:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

        [+] Adding a.adams to Domain Administrators Group
Add-ADGroupMember : Cannot find an object with identity: 'a.adams' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:91 char:1
+ Add-ADGroupMember -Identity "Domain Admins" -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (a.adams:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:98 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Jonathon Tay...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] j.taylor added
        [+] Adding j.taylor to IT Admins Group
Add-ADGroupMember : Cannot find an object with identity: 'j.taylor' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:101 char:1
+ Add-ADGroupMember -Identity $Global:ITAdmins -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (j.taylor:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

Add-ADGroupMember : Cannot find an object with identity: 'j.taylor' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:102 char:1
+ Add-ADGroupMember -Identity "Administrators" -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (j.taylor:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:109 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Jillian Anth...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] j.anthony added
        [+] Adding j.anthony to Engineering Group
Add-ADGroupMember : Cannot find an object with identity: 'j.anthony' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:112 char:1
+ Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (j.anthony:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:119 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Tabitha Cart...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] t.carter added
        [+] Adding t.carter to Engineering Group
Add-ADGroupMember : Cannot find an object with identity: 't.carter' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:122 char:1
+ Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (t.carter:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:129 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Megan Philli...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] m.phillips added
        [+] Adding m.phillips to Engineering Group
Add-ADGroupMember : Cannot find an object with identity: 'm.phillips' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:132 char:1
+ Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (m.phillips:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

Add-ADGroupMember : Cannot find an object with identity: 'm.phillips' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:133 char:1
+ Add-ADGroupMember -Identity "Group Policy Creator Owners" -Members $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (m.phillips:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:140 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Richard Smit...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] r.smith added
        [+] Adding r.smith to Engineering Group
Add-ADGroupMember : Cannot find an object with identity: 'r.smith' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:143 char:1
+ Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (r.smith:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:150 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Samantha Chi...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] s.chisholm added
        [+] Adding s.chisholm to Sales
Add-ADGroupMember : Cannot find an object with identity: 's.chisholm' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:153 char:1
+ Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (s.chisholm:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:160 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Margaret Sei...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] m.seitz added
        [+] Adding m.seitz to Engineering Group
Add-ADGroupMember : Cannot find an object with identity: 'm.seitz' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:163 char:1
+ Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (m.seitz:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:170 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Aaron Taroll...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] a.tarolli added
        [+] Adding a.tarolli to Sales
Add-ADGroupMember : Cannot find an object with identity: 'a.tarolli' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:173 char:1
+ Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (a.tarolli:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

New-ADUser : The server is unwilling to process the request
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:180 char:1
+ New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Zane Dickens...yorsec,DC=local:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

        [+] z.dickens added
        [+] Adding z.dickens to Sales
Add-ADGroupMember : Cannot find an object with identity: 'z.dickens' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:183 char:1
+ Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (z.dickens:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

        [*] User creation completed [*]
        [*] Modifying pre-authentication privileges [*]
Set-ADAccountControl : Cannot find an object with identity: 'a.tarolli' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:197 char:1
+ Set-ADAccountControl -Identity $asrepUser -DoesNotRequirePreAuth 1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (a.tarolli:ADAccount) [Set-ADAccountControl], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetADAccountControl

        [+] ASREP privileges granted to a.tarolli
        [*] ASREP settings update completed. [*]
        [*] Adding Kerberoastable service account to domain [*]
The command completed successfully.

Checking domain DC=theoffice,DC=local

Registering ServicePrincipalNames for CN=mssql_svc,CN=Users,DC=theoffice,DC=local
        DC01/mssql_svc.
Updated object
        [+] mssql_svc service account added
        [*] Kerberoastable service creation completed. [*]
        [*] Granting IT Admins GenericAll rights on Domain Admins. [*]
        [+] IT Admins group granted GenericAll permissions for the Domain Admins group.
        [*] Adding misconfigured ACL rule for the Engineering group. [*]
        [+] Whoops! GenericAll rights granted to Engineering.
        [*] Adding misconfigured ACL rule for Margaret Seitz. [*]
Get-ADUser : Cannot find an object with identity: 'm.seitz' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:252 char:16
+ $vulnAclUser = Get-ADUser -Identity "m.seitz"
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (m.seitz:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Get-ADUser : Cannot find an object with identity: 'j.taylor' under: 'DC=theoffice,DC=local'.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:253 char:15
+ $SourceUser = Get-ADUser -Identity "j.taylor"
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (j.taylor:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

AD-AddACL : Cannot validate argument on parameter 'Source'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At C:\Users\Administrator\Desktop\ADGenerator-main\ADGenerator.ps1:254 char:19
+ AD-AddACL -Source $vulnAclUser.sid -Destination $SourceUser.Distingui ...
+                   ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [AD-AddACL], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,AD-AddACL

        [+] Whoops! GenericAll rights granted to m.seitz.
        [*] Adding misconfigured ACL rule for the Sales group. [*]
        [+] Whoops! GenericAll rights granted to Sales.
        [*] ACL misconfigurations completed. [*]
        [*] Configuring some GPO policies required for the domain. [*]

DisplayName   : WinRM Firewall TCP 5985
GpoId         : ca0efb64-db92-4af8-980d-e7e6f0a9e4ff
Enabled       : True
Enforced      : False
Order         : 2
Target        : DC=theoffice,DC=local
GpoDomainName : theoffice.local
Caption                 :
Description             :
ElementName             : Allow WinRM TCP 5985 To Domain Joined Systems
InstanceID              : {f7c2bd77-0bf4-4030-8850-156751597343}
CommonName              :
PolicyKeywords          :
Enabled                 : True
PolicyDecisionStrategy  : 2
PolicyRoles             :
ConditionListType       : 3
CreationClassName       : MSFT|FW|FirewallRule|{f7c2bd77-0bf4-4030-8850-156751597343}
ExecutionStrategy       : 2
Mandatory               :
PolicyRuleName          :
Priority                :
RuleUsage               :
SequencedActions        : 3
SystemCreationClassName :
SystemName              :
Action                  : Allow
Direction               : Inbound
DisplayGroup            :
DisplayName             : Allow WinRM TCP 5985 To Domain Joined Systems
EdgeTraversalPolicy     : Block
EnforcementStatus       : NotApplicable
LocalOnlyMapping        : False
LooseSourceMapping      : False
Owner                   :
Platforms               : {}
PolicyStoreSource       :
PolicyStoreSourceType   : GroupPolicy
PrimaryStatus           : OK
Profiles                : 0
RuleGroup               :
Status                  : The rule was parsed successfully from the store. (65536)
StatusCode              : 65536
PSComputerName          :
Name                    : {f7c2bd77-0bf4-4030-8850-156751597343}
ID                      : {f7c2bd77-0bf4-4030-8850-156751597343}
Group                   :
Profile                 : Any
Platform                : {}
LSM                     : False

        [+] A GPO for PowerShell Remoting was created for authenticated users on the domain.
        [*] GPO configurations completed. [*]
        [*] Configuring GPO policies to enable PowerShell remoting on hosts. [*]

DisplayName   : Enable PSRemoting Desktops
GpoId         : 4f4b07c7-29e3-497a-a3a5-77e27af09781
Enabled       : True
Enforced      : False
Order         : 3
Target        : DC=theoffice,DC=local
GpoDomainName : theoffice.local


Id               : 4f4b07c7-29e3-497a-a3a5-77e27af09781
DisplayName      : Enable PSRemoting Desktops
Path             : cn={4F4B07C7-29E3-497A-A3A5-77E27AF09781},cn=policies,cn=system,DC=theoffice,DC=local
Owner            : theoffice\Domain Admins
DomainName       : theoffice.local
CreationTime     : 1/5/2022 1:36:27 AM
ModificationTime : 1/5/2022 1:36:28 AM
User             : Microsoft.GroupPolicy.UserConfiguration
Computer         : Microsoft.GroupPolicy.ComputerConfiguration
GpoStatus        : AllSettingsEnabled
WmiFilter        :
Description      :


Id               : 4f4b07c7-29e3-497a-a3a5-77e27af09781
DisplayName      : Enable PSRemoting Desktops
Path             : cn={4F4B07C7-29E3-497A-A3A5-77E27AF09781},cn=policies,cn=system,DC=theoffice,DC=local
Owner            : theoffice\Domain Admins
DomainName       : theoffice.local
CreationTime     : 1/5/2022 1:36:27 AM
ModificationTime : 1/5/2022 1:36:28 AM
User             : Microsoft.GroupPolicy.UserConfiguration
Computer         : Microsoft.GroupPolicy.ComputerConfiguration
GpoStatus        : AllSettingsEnabled
WmiFilter        :
Description      :


Id               : 4f4b07c7-29e3-497a-a3a5-77e27af09781
DisplayName      : Enable PSRemoting Desktops
Path             : cn={4F4B07C7-29E3-497A-A3A5-77E27AF09781},cn=policies,cn=system,DC=theoffice,DC=local
Owner            : theoffice\Domain Admins
DomainName       : theoffice.local
CreationTime     : 1/5/2022 1:36:27 AM
ModificationTime : 1/5/2022 1:36:28 AM
User             : Microsoft.GroupPolicy.UserConfiguration
Computer         : Microsoft.GroupPolicy.ComputerConfiguration
GpoStatus        : AllSettingsEnabled
WmiFilter        :
Description      :

        [+] Registry setting for Powershell Remoting OK!

Id               : 4f4b07c7-29e3-497a-a3a5-77e27af09781
DisplayName      : Enable PSRemoting Desktops
Path             : cn={4F4B07C7-29E3-497A-A3A5-77E27AF09781},cn=policies,cn=system,DC=theoffice,DC=local
Owner            : theoffice\Domain Admins
DomainName       : theoffice.local
CreationTime     : 1/5/2022 1:36:27 AM
ModificationTime : 1/5/2022 1:36:28 AM
User             : Microsoft.GroupPolicy.UserConfiguration
Computer         : Microsoft.GroupPolicy.ComputerConfiguration
GpoStatus        : AllSettingsEnabled
WmiFilter        :
Description      :


Id               : 4f4b07c7-29e3-497a-a3a5-77e27af09781
DisplayName      : Enable PSRemoting Desktops
Path             : cn={4F4B07C7-29E3-497A-A3A5-77E27AF09781},cn=policies,cn=system,DC=theoffice,DC=local
Owner            : theoffice\Domain Admins
DomainName       : theoffice.local
CreationTime     : 1/5/2022 1:36:27 AM
ModificationTime : 1/5/2022 1:36:30 AM
User             : Microsoft.GroupPolicy.UserConfiguration
Computer         : Microsoft.GroupPolicy.ComputerConfiguration
GpoStatus        : AllSettingsEnabled
WmiFilter        :
Description      :

        [+] Service setting for Powershell Remoting OK!
        [*] Domain-wide PowerShell Remoting GPO configuration completed. [*]
        [*] Some changes require a restart to take effect. Restarting your domain controller in 30 seconds. [*]

I dont seem to find the various Users added.

DomainName of choice used is theoffice.local

image

Dear Sir, would you mind helping troubleshooting what might be going wrong when i setup the AD environment. I am currently setting up a lab for your course Movement, privoting & persistence on Udemy.

I have attached the powershell output when i run both scripts. I specifically seem to be having a problem with ADGenerator.ps1

Your feedback will be highly appreciated.


PS C:\Users\Administrator\Desktop\ADGenerator-main> dir


    Directory: C:\Users\Administrator\Desktop\ADGenerator-main


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/5/2022  12:17 AM                images
-a----         1/5/2022  12:17 AM          18405 ADGenerator.ps1
-a----         1/5/2022  12:17 AM           2034 coursewordlist
-a----         1/5/2022  12:17 AM           1912 Invoke-ForestDeploy.ps1
-a----         1/5/2022  12:17 AM            951 nameGen.ps1
-a----         1/5/2022  12:17 AM           1902 README.md


PS C:\Users\Administrator\Desktop\ADGenerator-main> Set-ExecutionPolicy Unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
PS C:\Users\Administrator\Desktop\ADGenerator-main> . .\Invoke-ForestDeploy.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\Administrator\Desktop\ADGenerator-main\Invoke-ForestDeploy.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
PS C:\Users\Administrator\Desktop\ADGenerator-main> Invoke-ForestDeploy -DomainName theoffice.local

             ______                     __        ____             __
            / ____/___  ________  _____/ /_      / __ \___  ____  / /___  __  __
           / /_  / __ \/ ___/ _ \/ ___/ __/_____/ / / / _ \/ __ \/ / __ \/ / / /
          / __/ / /_/ / /  /  __(__  ) /_/_____/ /_/ /  __/ /_/ / / /_/ / /_/ /
         /_/    \____/_/   \___/____/\__/     /_____/\___/ .___/_/\____/\__, /
                                                        /_/            /____/
        Domain Deployment Script by TheMayor

        [*] Installing Windows AD Domain Services Toolset. [*]

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Active Directory Domain Services, Group P...


Toolset installed.


        [*] Generating the domain. Make note of the domain name for the ADGenerator Script to be ran after the controller is built. [*]
SafeModeAdministratorPassword: ************
Confirm SafeModeAdministratorPassword: ************

The target server will be configured as a domain controller and restarted when this operation is complete.
Do you want to continue with this operation?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
WARNING: Windows Server 2019 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel
 sessions.

For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses
should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "theoffice.local". Otherwise, no action is required.

WARNING: Windows Server 2019 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel
 sessions.

For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses
should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "theoffice.local". Otherwise, no action is required.


Message        : Operation completed successfully
Context        : DCPromo.General.3
RebootRequired : False
Status         : Success



Restart the controller if not instructed.
@05t3
Copy link
Author

05t3 commented Jan 5, 2022

Dear Sir, would you mind helping troubleshooting what might be going wrong when I set up the AD environment. I am currently setting up a lab for your course Movement, pivoting & persistence on Udemy.

I have attached the PowerShell output when I run both scripts. I specifically seem to be having a problem with ADGenerator.ps1

Your feedback will be highly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment