Skip to content

Version 6.3 #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Bails309 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Version 6.3 #40

Bails309 wants to merge 3 commits into from

Conversation

@Bails309
Copy link

@Bails309 Bails309 commented Nov 7, 2025 

            * Force true anonymous bind: set AuthType=Anonymous and Credential=[NetworkCredential]::new($null,$null)
            * Use LdapDirectoryIdentifier($Server, $Port) instead of "$Server:$Port" string to avoid parsing quirks
            * Disable referral chasing to prevent OperationsError from referral handling (ReferralChasing=None)
            * Replace paged control with SizeLimit=1 and TimeLimit for a minimal, predictable read
            * Perform a real directory read under defaultNamingContext (not just RootDSE) to confirm effective anonymous access
            * Add precise result handling: Success vs InvalidCredentials (49) vs StrongerAuthRequired (8) vs OperationsError (1)
            * Coerce DC HostName to string using -ExpandProperty to fix ADPropertyValueCollection output
            * Minor robustness: ProtocolVersion=3, short timeouts, and safe Join-Path for output file
            * Fixed LDAPS certificate detection logic:
               - Corrected EKU filtering to properly check for OID 1.3.6.1.5.5.7.3.1 (Server Authentication).
               - Added validation for certificate expiry (NotAfter > current date).
               - Added check to ensure certificate has a private key.
            * Added explicit success message for DSRM on DCs:
               Prints "[+] Windows LAPS DSRM configuration on Domain Controllers looks OK..."
               when DFL ≥ 2016 and all DCs have a DSRM secret backed up AND none are expired.
            * Introduced separate DC DSRM reports:
               - winlaps_dcs_missing-dsrm.txt
               - winlaps_dcs_expired-dsrm.txt
              DC entries are also included in aggregate Windows LAPS files where appropriate.
            * DSRM checks gated by DFL ≥ 2016 per Microsoft guidance.
            * Fixed Windows LAPS rights export:
               - Now binds -Identity explicitly for Find-LapsADExtendedRights.
               - Prevents "Cannot bind argument to parameter 'Identity' ... empty array" errors.
            * Implemented DC-aware logic:
               - Legacy LAPS checks (missing/expired) skip domain controllers (legacy LAPS doesn't apply to DCs).
               - Windows LAPS distinguishes DC DSRM backups (msLAPS-EncryptedDSRMPassword) from non-DC backups
                (msLAPS-Password / msLAPS-EncryptedPassword). Uses msLAPS-PasswordExpirationTime for expiry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Bails309