Introduction to Active Directory Property Sets Vulnerabilities
Active Directory is the backbone of identity management in enterprise Windows environments. However, a lesser-known feature potentially exposes your organization to significant security risks: the native ability of users to modify certain attributes of their own account.
Security Risk
By default, any authenticated user can modify more than 70 attributes of their AD account via the "Personal-Information" Property Set. This capability can compromise identity governance and authorization mechanisms based on these attributes.
This default configuration represents a blind spot in AD security, particularly problematic in hybrid architectures with synchronization to Microsoft Entra ID and environments using dynamic groups.
Architecture of Property Sets in Active Directory
Technical Mechanism of Property Sets
Property Sets are logical groupings of AD object attributes. Each attribute can belong to zero or one Property Set, with this membership being defined by the attributeSecurityGUID attribute which corresponds to the rightsGUID of the Property Set.
1# Enumeration of available Property Sets2Get-ADObject -SearchBase "CN=Extended-Rights,CN=Configuration,DC=domain,DC=com" -Filter {objectClass -eq "controlAccessRight"} | Select-Object Name, DisplayName, rightsGuidThe Personal-Information Property Set presents a specific ACE (Access Control Entry) granting write rights to the SELF authority, allowing any authenticated user to modify their own attributes belonging to this grouping.
Analysis of SELF Permissions
1# Verification of SELF permissions on a user2$UserDN = "CN=user,OU=Users,DC=domain,DC=com"3$ACL = Get-ACL "AD:$UserDN"4$ACL.Access | Where-Object {$_.IdentityReference -match "SELF" -and $_.ActiveDirectoryRights -match "WriteProperty"}Exploitation Tools
Users can exploit this functionality through numerous tools: PowerShell, Apache Directory Studio, ADExplorer, or even the integrated Windows tool rundll32.exe dsquery,OpenQueryWindow.
Technical Inventory of Exposed Attributes
PowerShell Enumeration Script
To precisely identify the attributes concerned in your environment:
1function Get-ADPropertySet {2 param(3 [Parameter(Mandatory=$true)]4 [string]$PropertySetName5 )6 7 $ConfigContext = (Get-ADRootDSE).configurationNamingContext8 $PropertySet = Get-ADObject -SearchBase "CN=Extended-Rights,$ConfigContext" -Filter {Name -eq $PropertySetName}9 10 if ($PropertySet) {11 $Attributes = Get-ADObject -SearchBase "CN=Schema,$ConfigContext" -Filter {attributeSecurityGUID -eq $PropertySet.rightsGuid} -Properties lDAPDisplayName,attributeSecurityGUID12 return $Attributes | Select-Object lDAPDisplayName, attributeSecurityGUID13 }14}15 16# Usage17Get-ADPropertySet -PropertySetName "Personal-Information"Critical Attributes by AD Version
| AD Version | Number of Attributes | Critical Attributes Added |
|---|---|---|
| 2008 R2 | ~45 | Basic attributes (phone, address) |
| 2012/2012 R2 | ~65 | msDS-cloudExtensionAttribute1-20, msDS-GeoCoordinates* |
| 2016-2025 | ~70 | msDS-ExternalDirectoryObjectId |
| 2016-2025 + Exchange | ~71 | publicDelegates |
The most sensitive attributes include:
- msDS-cloudExtensionAttribute1 to msDS-cloudExtensionAttribute20: Used for hybrid synchronization
- streetAddress, l (city), c (country), st: Geographic information
- physicalDeliveryOfficeName: Physical location
- msDS-ExternalDirectoryObjectId: Entra ID synchronization identifier
Impacts on Identity Governance
Exploitation Scenarios
Reconnaissance of Exchange Dynamic Groups
A malicious user can identify the criteria of dynamic distribution groups:
1Connect-ExchangeOnline2Get-DynamicDistributionGroupMember -Identity "Sensitive-Group" | Get-User | Select-Object DisplayName, City, DepartmentAttribute Modification for Infiltration
After identifying the criteria, the user can modify their attributes to join the group:
1# Via ADSI Edit or PowerShell with standard user rights2Set-ADUser -Identity $env:USERNAME -City "Paris" -Department "Finance"Privilege Escalation
Membership in the dynamic group can grant additional access to sensitive resources.
Reconnaissance via Azure Hound
For hybrid environments, attackers can use Azure Hound to map Entra ID dynamic groups:
1# Enumeration of dynamic groups2./azurehound.exe list -u "user@domain.com" -p "password" -t "tenant.onmicrosoft.com" -o tenant.json3 4# Extraction of membership rules5jq '.data[] | select(.kind == "AZGroup" and .data.membershipRule != null) | .data.displayName, .data.membershipRule' tenant.jsonCritical Impact
This technique enables identification of sensitive group membership criteria without administrative privileges, facilitating privilege escalation attacks.
Technical Mitigation Strategies
Method 1: Restriction of Exchange PowerShell Access
1# Creation of an Exchange PowerShell restriction policy2New-RoleAssignmentPolicy -Name "RestrictedUsers" -IsDefault:$false3Set-RoleAssignmentPolicy -Identity "Default Role Assignment Policy" -Roles @()4 5# Application to non-administrator users6Get-User -Filter {IsInRoles -eq $false} | Set-User -RoleAssignmentPolicy "RestrictedUsers"Method 2: Removal of Attributes from Property Set
Critical Precaution
Modifying the AD schema is irreversible. Absolutely test in a development environment and ensure you have complete backups.
Secure Removal Script
1function Remove-ADAttributeFromPropertySet {2 [CmdletBinding(SupportsShouldProcess, ConfirmImpact='High')]3 param(4 [Parameter(Mandatory=$true)]5 [string[]]$ADProperties,6 [switch]$Simulation7 )8 9 $ConfigContext = (Get-ADRootDSE).configurationNamingContext10 $SchemaContext = (Get-ADRootDSE).schemaNamingContext11 12 foreach ($Property in $ADProperties) {13 try {14 $AttributeObject = Get-ADObject -SearchBase "CN=Schema,$ConfigContext" -Filter {lDAPDisplayName -eq $Property} -Properties attributeSecurityGUID15 16 if ($AttributeObject.attributeSecurityGUID) {17 if ($Simulation) {18 Write-Host "[SIMULATION] Removal of attribute $Property from Property Set" -ForegroundColor Yellow19 } elseif ($PSCmdlet.ShouldProcess($Property, "Removal from Property Set")) {20 Set-ADObject -Identity $AttributeObject.DistinguishedName -Clear attributeSecurityGUID21 Write-Host "Attribute $Property successfully removed from Property Set" -ForegroundColor Green22 }23 } else {24 Write-Warning "Attribute $Property does not belong to any Property Set"25 }26 } catch {27 Write-Error "Error modifying attribute $Property : $($_.Exception.Message)"28 }29 }30}Targeted Removal of Sensitive Attributes
Prior Simulation
1# Test removal without actual modification2$SensitiveAttributes = @(3 "msDS-cloudExtensionAttribute1",4 "msDS-cloudExtensionAttribute2",5 "msDS-cloudExtensionAttribute3",6 "streetAddress",7 "l",8 "physicalDeliveryOfficeName"9)10 11Remove-ADAttributeFromPropertySet -ADProperties $SensitiveAttributes -SimulationApplication of Changes
1# Actual removal after validation2Remove-ADAttributeFromPropertySet -ADProperties $SensitiveAttributes -Confirm:$falsePost-Modification Verification
1# Verification of effectiveness2Get-ADPropertySet -PropertySetName "Personal-Information" | Where-Object {$_.AttributeLDAPDisplayName -in $SensitiveAttributes}Attributes to Preserve
Security Recommendations
Preserve these attributes in the Personal-Information Property Set as their modification by users is functionally justified:
- userCertificate: Required for certificate-based authentication
- msDS-FailedInteractiveLogonCount: System security metadata
- msDS-ExternalDirectoryObjectId: Critical for hybrid synchronization
Monitoring and Detection
Audit of Attribute Modifications
1# Configuration of audit for object modifications2auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable3 4# PowerShell monitoring script5Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5136} | 6Where-Object {$_.Message -match "Personal-Information"} | 7Select-Object TimeCreated, @{Name='User';Expression={($_.Message -split '\r?\n' | Select-String 'Account Name:').ToString().Split(':')[1].Trim()}}, @{Name='Attribute';Expression={($_.Message -split '\r?\n' | Select-String 'Attribute:').ToString().Split(':')[1].Trim()}}Monitoring via Microsoft Sentinel
1// KQL for detection of suspicious modifications2SecurityEvent3| where EventID == 51364| where EventData contains "Personal-Information"5| extend User = extract(@"Account Name:\s*([^\r\n]+)", 1, EventData)6| extend Attribute = extract(@"Attribute:\s*([^\r\n]+)", 1, EventData)7| extend ObjectDN = extract(@"Object DN:\s*([^\r\n]+)", 1, EventData)8| where User !in ("SYSTEM", "NETWORK SERVICE")9| summarize Count = count() by User, Attribute, bin(TimeGenerated, 1h)10| where Count > 10 // Detection thresholdConclusion and Architectural Recommendations
Securing Active Directory Property Sets requires a multi-layered approach combining:
- Complete technical audit of your sensitive attributes
- Targeted removal of critical attributes from the Personal-Information Property Set
- Continuous monitoring of attribute modifications
- Review of dynamic groups based on modifiable attributes
DevSecOps Approach
Integrate these controls into your infrastructure as code pipelines (Terraform, Bicep) to maintain security consistency across environments.
Although poorly documented, this vulnerability represents a significant attack vector in modern hybrid environments. Its proactive mitigation considerably strengthens the security posture of your Microsoft 365 infrastructure.
