_ _____ _______ _ _ _______ _______ _____ _______ _ _
| | | | |____/ |______ | | | | | |_____|
|_____ |_____| |_____ | \_ ______| | | | __|__ | | |
.--. .--. .--.
/.-. '----------. /.-. '----------. /.-. '----------.
\'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-'
'--' '--' '--'
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- Locksmith must be run on a domain joined system.
- The ActiveDirectory and ServerManager PowerShell modules must be installed before importing the Locksmith module.
- Administrative rights may be required for some checks and for remediation.
Open a PowerShell prompt and install Locksmith from the PowerShell Gallery:
Install-Module -Name Locksmith -Scope CurrentUser
- Download and Use the Module Without Installing It
- Download the latest module version.
- Open a PowerShell prompt to the location of the extracted file and run:
Unblock-File .\Locksmith.zip # if necessary to unblock the download Expand-Archive .\Locksmith.zip Import-Module .\Locksmith\Locksmith.psd1 Invoke-Locksmith
- Download the Standalone Script Without Module
- Download the latest monolithic (all-in-one) script version: https://github.com/jakehildreth/Locksmith/releases/latest/download/Invoke-Locksmith.zip.
- Open a PowerShell prompt to the location of the downloaded file and run:
Unblock-File .\Invoke-Locksmith.zip Expand-Archive .\Invoke-Locksmith.zip -DestinationPath .\ .\Invoke-Locksmith.ps1
There are several modes you can chose from when running Invoke-Locksmith
. You can also use the Scans parameter to choose which scans you want to invoke.
Running Invoke-Locksmith.ps1
with no parameters or with -Mode 0
will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.
# Module Syntax
Invoke-Locksmith
# Script Syntax
.\Invoke-Locksmith.ps1
Example Output for Mode 0: https://github.com/jakehildreth/Locksmith/blob/main//Docs/Examples/Mode0.md
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.
# Module Syntax
Invoke-Locksmith -Mode 1
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1
Example Output for Mode 1: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode1.md
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 2
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2
Example Output for Mode 2: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode2.md
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 3
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3
Example Output for Mode 3: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode3.md
Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
# Module Syntax
Invoke-Locksmith -Mode 4
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4
Example Output for Mode 4: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode4.md
Use the -Scans
parameter to choose which vulnerabilities to scan for. Acceptable values include All
, Auditing
, ESC1
, ESC2
, ESC3
, ESC4
, ESC5
, ESC6
, ESC8
, ESC11
, ESC13
, ESC15
, EKEUwu
, or PromptMe
. The PromptMe
option presents an interactive list allowing you to select one or more scans.
# Run all scans
Invoke-Locksmith -Scan All
# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe
# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1
# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8
Thank you for using Locksmith! 💜