Last active
September 2, 2025 13:18
-
-
Save zjorz/809fc4b4da5c670ff2ecc324ac4f60ef to your computer and use it in GitHub Desktop.
Bad Successor - ADDING/ENABLING BLOCK v2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # =============================================================================== | |
| # Bad-Successor-ENABLING-BLOCK v2 | |
| # Setting systemOnly For 'CN=ms-DS-Managed-Account-Preceded-By-Link' To **TRUE** | |
| # Setting systemOnly For 'CN=ms-DS-Superseded-Managed-Account-Link' To **TRUE** | |
| # =============================================================================== | |
| # | |
| # SOURCE: https://gist.github.com/zjorz/809fc4b4da5c670ff2ecc324ac4f60ef | |
| # | |
| # WARNING: This Code Can ONLY Be Used When The W2K25 AD Schema Has Been Implemented! There IS NO Check To Validate This! | |
| # WARNING: Membership of Schema Admins Is Required | |
| # WARNING: The Actual Schema Master MUST Be Online And It Must Be Recognized As The Schema Master By Other RWDCs (i.e., "Initial synchronization" Must Have Taken Place And NO Recent Events With ID 2092 Exist About The FSMO Role: CN=Schema,CN=Configuration,DC=<FOREST>,DC=<TLD>) | |
| # WARNING: AD Replication MUST BE In A Healthy State | |
| # | |
| # DISCLAIMER | |
| # - The script is FREEWARE, you are free to distribute/update it, but always refer to the original source(s) as the location where you got it | |
| # - This script is furnished "AS IS". NO warranty is expressed or implied! | |
| # - I HAVE NOT tested it in every scenario or environment | |
| # - ALWAYS TEST FIRST in lab environment to see if it meets your needs! | |
| # - Use this script at YOUR OWN RISK! YOU ARE RESPONSIBLE FOR ANY OUTCOME/RESULT BY USING THIS SCRIPT! | |
| # - I DO NOT warrant this script to be fit for any purpose, use or environment! | |
| # - I have tried to check everything that needed to be checked, but I DO NOT guarantee the script does not have bugs! | |
| # - I DO NOT guarantee the script will not damage or destroy your system(s), environment or anything else due to improper use or bugs! | |
| # - I DO NOT accept liability in any way when making mistakes, use the script wrong or in any other way where damage is caused to your environment/systems! | |
| # - If you do not accept these terms DO NOT use the script in any way and delete it immediately! | |
| Invoke-Command -ScriptBlock { | |
| Clear-Host | |
| $systemOnly = $true | |
| $thisADForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() | |
| $rootDSE = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/RootDSE" | |
| $rootDSE.Put("schemaUpgradeInProgress", 1) | |
| $rootDSE.SetInfo() | |
| $msDSManagedAccountPrecededByLinkDN = "CN=ms-DS-Managed-Account-Preceded-By-Link,$($thisADForest.Schema.Name)" | |
| Write-Host "Reconfiguring '$msDSManagedAccountPrecededByLinkDN'" -ForegroundColor Magenta | |
| Write-Host " > Setting 'systemOnly' To '$($systemOnly.ToString().ToUpper())'" -ForegroundColor Yellow | |
| Write-Host "" | |
| $msDSManagedAccountPrecededByLink = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/$msDSManagedAccountPrecededByLinkDN" | |
| $msDSManagedAccountPrecededByLink.Put("systemOnly", $($systemOnly.ToString().ToUpper())) | |
| $msDSManagedAccountPrecededByLink.SetInfo() | |
| $msDSSupersededManagedAccountLinkDN = "CN=ms-DS-Superseded-Managed-Account-Link,$($thisADForest.Schema.Name)" | |
| Write-Host "Reconfiguring '$msDSSupersededManagedAccountLinkDN'" -ForegroundColor Magenta | |
| Write-Host " > Setting 'systemOnly' To '$($systemOnly.ToString().ToUpper())'" -ForegroundColor Yellow | |
| Write-Host "" | |
| $msDSSupersededManagedAccountLink = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/$msDSSupersededManagedAccountLinkDN" | |
| $msDSSupersededManagedAccountLink.Put("systemOnly", $($systemOnly.ToString().ToUpper())) | |
| $msDSSupersededManagedAccountLink.SetInfo() | |
| $rootDSE = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/RootDSE" | |
| $rootDSE.Put("schemaUpgradeInProgress", 0) | |
| $rootDSE.SetInfo() | |
| Write-Host "Reviewing Configuration Of '$msDSManagedAccountPrecededByLinkDN'" -ForegroundColor Magenta | |
| $msDSManagedAccountPrecededByLink = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/$msDSManagedAccountPrecededByLinkDN" | |
| Write-Host " > 'systemOnly'........: $($msDSManagedAccountPrecededByLink.systemOnly)" -ForegroundColor Yellow | |
| Write-Host "" | |
| Write-Host "Reviewing Configuration Of '$msDSSupersededManagedAccountLinkDN'" -ForegroundColor Magenta | |
| $msDSSupersededManagedAccountLink = [ADSI]"LDAP://$($thisADForest.SchemaRoleOwner.Name)/$msDSSupersededManagedAccountLinkDN" | |
| Write-Host " > 'systemOnly'........: $($msDSSupersededManagedAccountLink.systemOnly)" -ForegroundColor Yellow | |
| Write-Host "" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment