_ _____ _______ _ _ _______ _______ _____ _______ _ _
| | | | |____/ |______ | | | | | |_____|
|_____ |_____| |_____ | \_ ______| | | | __|__ | | |
.--. .--. .--.
/.-. '----------. /.-. '----------. /.-. '----------.
\'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-'
'--' '--' '--'
A tiny small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- Locksmith (both script and module versions) must be run on a domain joined system.
- Locksmith (module version only) needs the ActiveDirectory and ServerManager PowerShell modules installed.
- Open a PowerShell prompt and run
Install-Module -Name Locksmith -Scope CurrentUser
- Download the latest module version ( Locksmith-v<YEAR>.<MONTH>.zip )
- Extract the downloaded zip file
- Open a PowerShell prompt to the location of the extracted file and run
Import-Module .\Locksmith.psd1
- Download the latest script version: https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip
- Open a PowerShell prompt to the location of the downloaded file and run
.\Invoke-Locksmith.ps1
Running Invoke-Locksmith.ps1 with no parameters or with -Mode 0 will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.
# Module Syntax
Invoke-Locksmith# Script Syntax
.\Invoke-Locksmith.ps1Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode0.md
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.
# Module Syntax
Invoke-Locksmith -Mode 1# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode1.md
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 2# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode2.md
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 3# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode3.md
Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
# Module Syntax
Invoke-Locksmith -Mode 4# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md
Use the -Scans parameter to choose which vulnerabilities to scan for. Acceptable values include All, Auditing, ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC8, or PromptMe. The PromptMe option presents an interactive list allowing you to select scans.
# Run all scans
Invoke-Locksmith -Scan All# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8
