Or - “How to Create
a Fat Kerberos Token of 82496 bytes!”
For testing purposes I wanted to create a user with an oversize
Kerberos token. The following script does just that, creates a user called
FATTOKEN, in the OU FATTOKEN, in 1000 Domain Local FATTOKENG groups, and sets “trusted
for delegation”. Running the script with the -TidyUp flag does just that.
Using the Get-TokenSizeReport.ps1 from here
against FATTOKEN shows:
Image:
Get-TokenSizeReport shows FATTOKEN has token size 82496
Image:
Get-TokenSizeReport warning of token size > 48000 bytes
The Script
Param([Switch]$TidyUp)
import-module
ActiveDirectory
[String]$FATTOKEN
= "FATTOKEN"
[String]$FATTOKENG
= "FATTOKENG"
[String]$OUPATH
= "DC=lab,DC=priv"
#######################
##
FAT TOKEN CREATOR ##
#######################
IF(!$TidyUp){
## 1) Create FATTOKEN OU and user ##
$Password = Read-Host "Password for
$FATTOKEN" -AsSecureString
New-ADOrganizationalUnit -Name
"$FATTOKEN"
New-ADuser -Name "$FATTOKEN"
-AccountPassword $Password -path "OU=$FATTOKEN,$OUPATH"
Set-ADAccountControl
-TrustedForDelegation:$TRUE -Identity $FATTOKEN
Enable-ADaccount -Identity
"$FATTOKEN"
## 2) Create groups ##
for($i=1; $i -le 1000; $i++){
New-ADGroup -Name ( "$FATTOKENG"
+ ([String]$i).PadLeft(4,"0") ) -groupscope DomainLocal -path
"OU=$FATTOKEN,$OUPATH"
Write-Host "Creating $FATTOKENG
$i"
}
## 3) Add FATTOKEN to the groups ##
for($i=1; $i -le 1000; $i++){
Add-ADGroupMember -Members "$FATTOKEN"
-Identity ( "$FATTOKENG" + ([String]$i).PadLeft(4,"0") )
Write-Host "$FATTOKEN being added to
$FATTOKENG $i"
}
}
ELSE {
## 4) Tidy Up ##
Remove-AdUser -Identity $FATTOKEN
-Confirm:$FALSE
for($i=1; $i -le 1000; $i++){
Remove-AdGroup -Identity
("$FATTOKENG" + ([String]$i).PadLeft(4,"0"))
-Confirm:$FALSE
Write-Host "Removed $FATTOKENG
$i"
}
Set-ADObject -Identity
"OU=$FATTOKEN,$OUPATH" -ProtectedFromAccidentalDeletion:$FALSE
Remove-ADOrganizationalUnit -Identity
"OU=$FATTOKEN,$OUPATH" -Confirm:$FALSE
}
Comments
Post a Comment