_ _____ _______ _ _ _______ _______ _____ _______ _ _
| | | | |____/ |______ | | | | | |_____|
|_____ |_____| |_____ | \_ ______| | | | __|__ | | |
.--. .--. .--.
/.-. '----------. /.-. '----------. /.-. '----------.
\'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-'
'--' '--' '--'
A tiny small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- Locksmith (both script and module versions) must be run on a domain joined system.
- Locksmith (module version only) needs the ActiveDirectory and ServerManager PowerShell modules installed.
- Open a PowerShell prompt and run
Install-Module -Name Locksmith -Scope CurrentUser
- Download the latest module version: https://github.com/TrimarcJake/Locksmith/releases/latest/download/Locksmith.zip
- Extract the downloaded zip file
- Open a PowerShell prompt to the location of the extracted file and run
Import-Module .\Locksmith.psd1
- Download the latest script version: https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip
- Open a PowerShell prompt to the location of the downloaded file and run
.\Invoke-Locksmith.ps1
Running Invoke-Locksmith.ps1
with no parameters or with -Mode 0
will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.
# Module Syntax
Invoke-Locksmith
# Script Syntax
.\Invoke-Locksmith.ps1
Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode0.md
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.
# Module Syntax
Invoke-Locksmith -Mode 1
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1
Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode1.md
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 2
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2
Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode2.md
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 3
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3
Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode3.md
Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
# Module Syntax
Invoke-Locksmith -Mode 4
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4
Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md
Use the -Scans
parameter to choose which vulnerabilities to scan for. Acceptable values include All
, Auditing
, ESC1
, ESC2
, ESC3
, ESC4
, ESC5
, ESC6
, ESC8
, or PromptMe
. The PromptMe
option presents an interactive list allowing you to select scans.
# Run all scans
Invoke-Locksmith -Scan All
# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe
# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1
# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8