Hello,
first of all – thank you for this great tool.
While using Get-AccessibleDsObject in a network with a 'zero-trust', I ran into a problem related to how the cmdlet selects the LDAP server.
In many Microsoft AD cmdlets (for example Get-ADUser), the -Server parameter specifies the domain controller the client should connect to (see Microsoft documentation: “Specifies the Active Directory Domain Services instance to connect to”).
In Get-AccessibleDsObject, however, the -Server parameter is used only for remote AuthZ access checking (RPC-based), not for LDAP connectivity.
Although this is mentioned in the help (“Specify a server for use for remote access checking”), it is easy to assume that -Server controls the LDAP target as well. More importantly, there currently seems to be no way to explicitly specify the LDAP server / domain controller that should be used by the cmdlet.
Internally, the cmdlet uses:
- LDAP://RootDSE
- LDAP:///...
for RootDSE, schema loading and enumeration. In environments where domain discovery is blocked (which is common in zero-trust / segmented networks), this causes the cmdlet to fail with:
0x8007054B - The specified domain either does not exist or could not be contacted, even though direct LDAP access to a specific DC works correctly.
Suggestion
It would be very useful to have a way to explicitly specify the LDAP target server / domain controller, for example:
- a dedicated parameter such as -LdapServer / -DirectoryServer
- reusing -Server for LDAP and introducing a separate parameter for the remote AuthZ server (for example -AuthzServer).
This would allow the cmdlet to be used in environments where DC discovery is restricted, but direct LDAP access to selected DCs is allowed.
Thanks again for the excellent tool.
Hello,
first of all – thank you for this great tool.
While using Get-AccessibleDsObject in a network with a 'zero-trust', I ran into a problem related to how the cmdlet selects the LDAP server.
In many Microsoft AD cmdlets (for example Get-ADUser), the -Server parameter specifies the domain controller the client should connect to (see Microsoft documentation: “Specifies the Active Directory Domain Services instance to connect to”).
In Get-AccessibleDsObject, however, the -Server parameter is used only for remote AuthZ access checking (RPC-based), not for LDAP connectivity.
Although this is mentioned in the help (“Specify a server for use for remote access checking”), it is easy to assume that -Server controls the LDAP target as well. More importantly, there currently seems to be no way to explicitly specify the LDAP server / domain controller that should be used by the cmdlet.
Internally, the cmdlet uses:
for RootDSE, schema loading and enumeration. In environments where domain discovery is blocked (which is common in zero-trust / segmented networks), this causes the cmdlet to fail with:
0x8007054B - The specified domain either does not exist or could not be contacted, even though direct LDAP access to a specific DC works correctly.
Suggestion
It would be very useful to have a way to explicitly specify the LDAP target server / domain controller, for example:
This would allow the cmdlet to be used in environments where DC discovery is restricted, but direct LDAP access to selected DCs is allowed.
Thanks again for the excellent tool.