search

GenericAll

hashtag
Summary

FSProtect ACL Alias

GenericAll

AD Alias

Full Control

Affected Object Types

All Objects

Exploitation Certainty

Certain

AD Right

GenericAll

AD Permission Guid

00000000-0000-0000-0000-000000000000

hashtag
Description

The GenericAll permission in Active Directory grants an account complete control over a specified directory object. With this permission, an account can perform any action ranging from reading and modifying all attributes to managing security settings and delegating permissions. This level of authority is sometimes necessary in administrative scenarios that require full management rights over an object, such as transferring ownership, performing extensive configuration changes, or executing high-level system maintenance tasks.

However, if misconfigured or assigned to unauthorized users, the GenericAll permission introduces substantial security vulnerabilities. An attacker who gains this permission can manipulate critical directory objects by altering security configurations, modifying object attributes, or even deleting objects outright. Such exploitation can lead to unauthorized access, complete privilege escalation, and persistent control over essential network resources. In extreme cases, the attacker may leverage GenericAll to subvert the intended security architecture of the Active Directory environment, resulting in a widespread compromise of system integrity and trust.

hashtag
Identification

hashtag
PowerShell

Active Directory Module

Using the ActiveDirectory PowerShell module, you can enumerate GenericAll entries.

1. Find-GenericAll function

function Find-GenericAll {
    [CmdletBinding()]
    param ([string]$Target = $null,[string]$SearchBase = $null,[string]$OutputPath = "GenericAllAcls.csv",[switch]$ExcludeAdmins = $false)
    Import-Module ActiveDirectory
    Write-Host "Gathering Active Directory objects and inspecting ACLs for explicit GenericAll permissions..."
    $ExcludedSIDs = @()
    if ($ExcludeAdmins) {
        Write-Host "Excluding default administrative groups and built-in accounts."
        $ExcludedSIDs += (New-Object System.Security.Principal.NTAccount "NT AUTHORITY\SYSTEM").Translate([System.Security.Principal.SecurityIdentifier]),
        (New-Object System.Security.Principal.NTAccount "NT AUTHORITY\SELF").Translate([System.Security.Principal.SecurityIdentifier]),
        (New-Object System.Security.Principal.NTAccount "BUILTIN\Account Operators").Translate([System.Security.Principal.SecurityIdentifier]),
        (New-Object System.Security.Principal.NTAccount "BUILTIN\Administrators").Translate([System.Security.Principal.SecurityIdentifier]),
        (New-Object System.Security.Principal.NTAccount "BUILTIN\Terminal Server License Servers").Translate([System.Security.Principal.SecurityIdentifier]),
        (New-Object System.Security.Principal.NTAccount "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS").Translate([System.Security.Principal.SecurityIdentifier])
        $ExcludedSIDs += [System.Security.Principal.SecurityIdentifier]::new("S-1-3-0");
        try {
            $ExcludedSIDs += (Get-ADGroup -Identity "Domain Admins").SID;$ExcludedSIDs += (Get-ADGroup -Identity "Enterprise Admins").SID
            $ExcludedSIDs += (Get-ADGroup -Identity "Schema Admins").SID;$ExcludedSIDs += (Get-ADGroup -Identity "Cert Publishers").SID
            $ExcludedSIDs += (Get-ADGroup -Identity "Group Policy Creator Owners").SID;$ExcludedSIDs += (Get-ADGroup -Identity "Domain Controllers").SID
            $ExcludedSIDs += (Get-ADGroup -Identity "Key Admins").SID;$ExcludedSIDs += (Get-ADGroup -Identity "Enterprise Key Admins").SID
            $ExcludedSIDs += (Get-ADGroup -Identity "DnsAdmins").SID;$ExcludedSIDs += (Get-ADGroup -Identity "RAS and IAS Servers").SID
        }catch {Write-Warning "Could not resolve one or more default domain admin groups. They might not be filtered from results."}}
    $AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow;$ActiveDirectoryRights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
    $foundAcls = @();$objectsToScan = @()
    try {
        if ($Target) {
            Write-Host "Searching for permissions on specific object: '$Target'."
            $specificObject = Get-ADObject -Identity $Target -Properties nTSecurityDescriptor -ErrorAction Stop
            if ($specificObject) { $objectsToScan += $specificObject} else {Write-Output "Object '$Target' not found.";return}} else {
            $adObjectParams = @{
                Filter    = "*"
                Properties = "nTSecurityDescriptor"
                ErrorAction = "Stop"
            }
            if ($SearchBase) {
                $adObjectParams.Add("SearchBase", $SearchBase)
                Write-Host "Searching for all objects within '$SearchBase'."} else {
                $adObjectParams.Add("SearchBase", (Get-ADRootDSE).DefaultNamingContext)
                Write-Host "Searching for all objects in the domain."}
            $objectsToScan = Get-ADObject @adObjectParams}
        if (-not $objectsToScan) {Write-Output "No objects found matching the criteria.";return }
        foreach ($obj in $objectsToScan) {
            $ObjectDistinguishedName = $obj.DistinguishedName
            try {
                $acl = Get-Acl -Path "AD:$ObjectDistinguishedName" 
                foreach ($ace in $acl.Access) {
                    $isExcluded = $false
                    if ($ExcludeAdmins) {
                        try {
                            if ($ExcludedSIDs -contains $ace.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])) {
                                $isExcluded = $true
                            }}catch {Write-Warning "Could not translate SID for exclusion check: $($ace.IdentityReference.Value). Error: $($_.Exception.Message)"}}
                    if ($ace.AccessControlType -eq $AccessControlType -and($ace.ActiveDirectoryRights -eq $ActiveDirectoryRights) -and ($ace.ObjectType -eq [Guid]::Empty) -and-not $ace.IsInherited -and -not $isExcluded) {
                        $foundAcls += [PSCustomObject]@{
                            'Vulnerable Object' = $ObjectDistinguishedName
                            'Permission Holder' = $ace.IdentityReference.Value }}}}
            catch {Write-Warning "Could not retrieve ACL for '$ObjectDistinguishedName': $($_.Exception.Message)"}} }catch {Write-Error "Failed to retrieve Active Directory objects: $($_.Exception.Message)";return}
    if ($foundAcls.Count -gt 0) {
        $exclusionMessage = if ($ExcludeAdmins) { " (excluding default admin groups and built-in accounts)" } else { "" }
        Write-Host "Found $($foundAcls.Count) object(s) with explicit GenericAll permissions$exclusionMessage."
        try {
            $foundAcls | Sort-Object -Unique 'Vulnerable Object', 'Permission Holder' | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
            Write-Output "Results exported successfully to '$OutputPath'"
        }
        catch {Write-Error "Failed to export results to CSV file '$OutputPath': $($_.Exception.Message)"}} else {
        $exclusionMessage = if ($ExcludeAdmins) { " (excluding default admin groups and built-in accounts)" } else { "" }
        Write-Output "No Active Directory objects found with explicit GenericAll permissions$exclusionMessage."}}

2. Scan all domain objects

3. Scan a specific object

4. To exclude default admin ACLs to improve visibility

5. Using SearchBase to limit the scope

.NET Directory Services

By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate GenericAll entries without relying on any external modules or dependencies.

1. Find-GenericAllSimple function

2. Scan all domain objects

3. Scan a specific object

4. To exclude default admin ACLs to improve visibility

hashtag
Active Directory Users and Computers

1. Open Active Directory Users and Computers on your Windows server.

2. Right-click on the Object name.

3. Select Properties from the context menu.

4. In the Properties window, navigate to the Security tab.

5. In the Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.

6. In the permissions list, locate and check the option Full control.

7. Click OK to save your changes and close the dialogs.

hashtag
Exploitation

hashtag
User

You can reset a user’s password to gain full control over the user object see the ForceChangePasswordarrow-up-right edge for complete abuse details. You can write to the AddKeyCredentialLinkarrow-up-right attribute on a user, enabling an attacker to create Shadow Credentials and authenticate as that principal via Kerberos PKINIT see the AddKeyCredentialLinkarrow-up-right edge. Alternatively, you can write to the “servicePrincipalNames” attribute to perform a targeted kerberoasting attack see the abuse section under the WriteSPNarrow-up-right edge for more information.

hashtag
Group

You can take full control of a group to directly modify its membership. See the Abuse Information section under the AddMemberarrow-up-right edge for complete abuse details.

hashtag
Computer

You can read a computer object’s LAPS password see the LapsPasswordarrow-up-right edge for details. You can write to the AddKeyCredentialLinkarrow-up-right attribute on a computer, enabling an attacker to create Shadow Credentials and authenticate as the computer via Kerberos PKINIT see the AddKeyCredentialLinkarrow-up-right edge for more information. You can take full control of a computer object to perform a Resource-Based Constrained Delegation attack see the AddAllowedToActarrow-up-right edge for more information.

hashtag
Domain Object

You can take full control of the domain object (the head object of the Default Naming Context) to grant DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights. See the DCSyncarrow-up-right edge documentation for abuse details.

hashtag
GPO

You can take full control of a GPO to modify its settings, which will then apply to its targeted users and computers. Select the target object, open the gpedit GUI, and inject a malicious policy such as an immediate scheduled task with item‑level targeting into the GPO. Wait at least two hours for the Group Policy Client to retrieve and execute the new policy. See the GPOWritearrow-up-right edge documentation for abuse details.

hashtag
Certificate Template

When an attacker has GenericAll permissions over a Certificate Template, they can modify its settings to introduce the ESC1 vulnerability. This misconfiguration can then be exploited to escalate privileges and ultimately gain Domain Admin rights.

For more details, see WriteOverCertificateTemplate.

hashtag
Delegated Managed Service Account

If an attacker has GenericAll permissions over a dMSA object, they can modify the PrincipalsAllowedToRetrieveManagedPassword property to include their own account. This grants the ability to retrieve the managed service account’s password.

Example:

Once added, the attacker can read the password. For more abuse details, see the ReadGMSAPasswordarrow-up-right edge.

hashtag
Mitigation

Access Control Entries identified as dangerous objects should be removed by following the steps below.

1. Open Active Directory Users and Computers

2. Double-click the affected object and open the Security tab.

3. Remove the rights marked as dangerous objects.

4. Click the OK and Apply buttons to save changes.

hashtag
Detection

Adding new Access Control Entries to Active Directory objects changes the ntSecurityDescriptor attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event IDs to identify dangerous object modifications.

Event ID
Category
Description
Fields/Attributes
References

5136

Audit Directory Service Changes

A directory service object was modified.

ntSecurityDescriptor

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

4662

Audit Directory Service Access

An operation was performed on an object.

AccessList, AccessMask

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

hashtag
References

PreviousForceChangePasswordNextGenericWrite

Last updated

Was this helpful?