https://github.com/trimarcjake/locksmith

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
https://github.com/trimarcjake/locksmith

active-directory active-directory-certificate-services ad-cs adcs pki powershell powershell-module powershell-script

Last synced: 12 days ago
JSON representation

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

• Host: GitHub
• URL: https://github.com/trimarcjake/locksmith
• Owner: TrimarcJake
• License: other
• Created: 2022-04-28T01:37:32.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2025-01-01T18:36:40.000Z (21 days ago)
• Last Synced: 2025-01-09T06:33:45.211Z (14 days ago)
• Topics: active-directory, active-directory-certificate-services, ad-cs, adcs, pki, powershell, powershell-module, powershell-script
• Language: PowerShell
• Homepage: https://github.com/TrimarcJake/Locksmith
• Size: 1.67 MB
• Stars: 993
• Watchers: 16
• Forks: 93
• Open Issues: 14
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.MD
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        

# Locksmith

```text

 _       _____  _______ _     _ _______ _______ _____ _______ _     _

 |      |     | |       |____/  |______ |  |  |   |      |    |_____|

 |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |

     .--.                  .--.                  .--.

    /.-. '----------.     /.-. '----------.     /.-. '----------.

    \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'

     '--'                  '--'                  '--'

```

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

![GitHub release](https://img.shields.io/github/v/release/trimarcjake/locksmith?sort=semver)

![GitHub top language](https://img.shields.io/github/languages/top/trimarcjake/locksmith)

![PowerShell Gallery Platform Support](https://img.shields.io/powershellgallery/p/locksmith)

[![GitHub contributors](https://img.shields.io/github/contributors/trimarcjake/locksmith.svg)](https://github.com/trimarcjake/locksmith/graphs/contributors/)

[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)

![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/trimarcjake/Locksmith/powershell.yml?logo=github&label=PSScriptAnalyzer)

![PowerShell Gallery Downloads](https://img.shields.io/powershellgallery/dt/locksmith?logo=powershell&label=PowerShell%20Gallery%20Downloads&color=blue)

## Contents

1. [Installation](#Installation)

2. [Run Locksmith](#RunLocksmith)

   1. [Mode 0](#Mode0)

   2. [Mode 1](#Mode1)

   3. [Mode 2](#Mode2)

   4. [Mode 3](#Mode3)

   5. [Mode 4](#Mode4)

   6. [Scans](#Scans)



## Installation

### Prerequisites

1. Locksmith must be run on a domain joined system.

2. The ActiveDirectory and ServerManager PowerShell modules must be installed before importing the Locksmith module.

3. Administrative rights may be required for some checks and for remediation.

### Standard Module Installation

Open a PowerShell prompt and install Locksmith from the PowerShell Gallery:

```powershell

Install-Module -Name Locksmith -Scope CurrentUser

```

### Alternative Installation Methods

1. Download and Use the Module Without Installing It

   1. Download the [latest module version](https://github.com/TrimarcJake/Locksmith/releases/latest/download/Locksmith.zip).

   2. Open a PowerShell prompt to the location of the extracted file and run:

   ```powershell

   Unblock-File .\Locksmith.zip # if necessary to unblock the download

   Expand-Archive .\Locksmith.zip

   Import-Module .\Locksmith\Locksmith.psd1

   Invoke-Locksmith

   ```

2. Download the Standalone Script Without Module

   1. Download the latest monolithic (all-in-one) script version: [https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip](https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip).

   2. Open a PowerShell prompt to the location of the downloaded file and run:

   ```powershell

   Unblock-File .\Invoke-Locksmith.zip

   Expand-Archive .\Invoke-Locksmith.zip -DestinationPath .\

   .\Invoke-Locksmith.ps1

   ```



## Run Locksmith

There are several modes you can chose from when running `Invoke-Locksmith`. You can also use the **Scans** parameter to choose which scans you want to invoke.



### Mode 0: Identify Issues, Output to Console (Default)

Running `Invoke-Locksmith.ps1` with no parameters or with `-Mode 0` will scan the current Active Directory forest and output all discovered AD CS issues to the console in **Table** format.

``` powershell

# Module Syntax

Invoke-Locksmith

```

``` powershell

# Script Syntax

.\Invoke-Locksmith.ps1

```

Example Output for Mode 0: 



### Mode 1: Identify Issues and Fixes, Output to Console

This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in **List** format.

``` powershell

# Module Syntax

Invoke-Locksmith -Mode 1

```

``` powershell

# Script Syntax

.\Invoke-Locksmith.ps1 -Mode 1

```

Example Output for Mode 1: 



### Mode 2: Identify Issues, Output to CSV

Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.

``` powershell

# Module Syntax

Invoke-Locksmith -Mode 2

```

``` powershell

# Script Syntax

.\Invoke-Locksmith.ps1 -Mode 2

```

Example Output for Mode 2: 



### Mode 3: Identify Issues and Fixes, Output to CSV

In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.

``` powershell

# Module Syntax

Invoke-Locksmith -Mode 3

```

``` powershell

# Script Syntax

.\Invoke-Locksmith.ps1 -Mode 3

```

Example Output for Mode 3: 



### Mode 4: Fix All Issues

Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.

``` powershell

# Module Syntax

Invoke-Locksmith -Mode 4

```

``` powershell

# Script Syntax

.\Invoke-Locksmith.ps1 -Mode 4

```

Example Output for Mode 4: 



### Scans: Select Which Scans to Invoke

Use the `-Scans` parameter to choose which vulnerabilities to scan for. Acceptable values include `All`, `Auditing`, `ESC1`, `ESC2`, `ESC3`, `ESC4`, `ESC5`, `ESC6`, `ESC8`, `ESC11`, `ESC13`, `ESC15`, `EKEUwu`, or `PromptMe`. The `PromptMe` option presents an interactive list allowing you to select one or more scans.

``` powershell

# Run all scans

Invoke-Locksmith -Scan All

```

``` powershell

# Prompt the user for a list of scans to select

Invoke-Locksmith.ps1 -Scans PromptMe

```

``` powershell

# Scan for ESC1 vulnerable paths

Invoke-Locksmith.ps1 -Scans ESC1

```

``` powershell

# Scan for ESC1, ESC2, and ESC8 vulnerable paths

Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8

```

Thank you for using Locksmith! 💜