0xSV1 · July 30, 2021 14:35
diff --git a/Find-VulnerableSchemas.ps1 b/Find-VulnerableSchemas.ps1
 # Dictionary to hold superclass names
 $superClass = @{}

 # List to hold class names that inherit from container and are allowed to live under computer object
 $vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

 # Resolve schema naming context
 $schemaNC = (Get-ADRootDSE).schemaNamingContext

 # Enumerate all class schemas
 $classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors

 # Enumerate all class schemas that computer is allowed to contain
 $computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer'

 # Populate superclass table
 $classSchemas |ForEach-Object {
    $superClass[$_.lDAPDisplayName] = $_.subClassOf
 }

 # Resolve class inheritance for computer inferiors
 $computerInferiors |ForEach-Object {
  $class = $cursor = $_.lDAPDisplayName
  while($superClass[$cursor] -notin 'top'){
    if($superClass[$cursor] -eq 'container'){
      $vulnerableSchemas.Add($class)
      break
    }
    $cursor = $superClass[$cursor]
  }
 }

 # Outpupt list of vulnerable class schemas 
 $vulnerableSchemas
diff --git a/Update-msExchStorageGroupSchema.ps1 b/Update-msExchStorageGroupSchema.ps1
 # Discover schema NC
 $rootDSE = Get-ADRootDSE
 $schemaNC = $rootDSE.schemaNamingContext

 # Discover schema master
 $schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner | Get-ADDomainController -Identity { $_.fSMORoleOwner }

 # Re-bind against RootDSE on schema master
 $rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE")

 # Prepare to refresh the schema!!!
 $schemaRefresh = {
  $rootDSE.Put("schemaUpdateNow", 1)
  $rootDSE.SetInfo()
 }

 # Fetch msExchStorageGroup schema object
 $schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))'

 # Update schema object
 Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster

 # Refresh schema
 & $schemaRefresh
	# Dictionary to hold superclass names
	$superClass = @{}

	# List to hold class names that inherit from container and are allowed to live under computer object
	$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

	# Resolve schema naming context
	$schemaNC = (Get-ADRootDSE).schemaNamingContext

	# Enumerate all class schemas
	$classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors

	# Enumerate all class schemas that computer is allowed to contain
	$computerInferiors = $classSchemas \|Where-Object possSuperiors -eq 'computer'

	# Populate superclass table
	$classSchemas \|ForEach-Object {
	$superClass[$_.lDAPDisplayName] = $_.subClassOf
	}

	# Resolve class inheritance for computer inferiors
	$computerInferiors \|ForEach-Object {
	$class = $cursor = $_.lDAPDisplayName
	while($superClass[$cursor] -notin 'top'){
	if($superClass[$cursor] -eq 'container'){
	$vulnerableSchemas.Add($class)
	break
	}
	$cursor = $superClass[$cursor]
	}
	}

	# Outpupt list of vulnerable class schemas
	$vulnerableSchemas
	# Discover schema NC
	$rootDSE = Get-ADRootDSE
	$schemaNC = $rootDSE.schemaNamingContext

	# Discover schema master
	$schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner \| Get-ADDomainController -Identity { $_.fSMORoleOwner }

	# Re-bind against RootDSE on schema master
	$rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE")

	# Prepare to refresh the schema!!!
	$schemaRefresh = {
	$rootDSE.Put("schemaUpdateNow", 1)
	$rootDSE.SetInfo()
	}

	# Fetch msExchStorageGroup schema object
	$schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))'

	# Update schema object
	Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster

	# Refresh schema
	& $schemaRefresh