GenericAll cleanup depends on the target type and the abuse path used. GenericAll is not one action, so response cannot be one action either. We identify what was changed, restore that object, and then remove the unnecessary Full Control delegation that made the abuse possible.
User Target
If the user password was reset during the lab, restore the lab password or force a new controlled reset.
$Password = ConvertTo-SecureString 'WebService2026!' -AsPlainText -Force
Set-ADAccountPassword -Identity 'svc_web' -Reset -NewPassword $Password
If Shadow Credentials were used, clear the rogue key credential material.
certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200
Review the user object:
Get-ADUser svc_web -Properties servicePrincipalName,msDS-KeyCredentialLink,scriptPath,adminCount,memberOf
Group Target
If a controlled account was added to a group, remove it.
Remove-ADGroupMember -Identity 'TARGET GROUP' -Members 'alice.wright' -Confirm:$false
Get-ADGroupMember -Identity 'TARGET GROUP'
Computer Target
If Shadow Credentials were used against a computer account, clear the rogue key credential material.
certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account 'TARGETCOMPUTER$' -dc-ip 10.10.10.200
If RBCD was written, clear the delegation attribute.
Set-ADComputer -Identity 'TARGETCOMPUTER' -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity'
Get-ADComputer -Identity 'TARGETCOMPUTER' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,msDS-KeyCredentialLink
OU or GPO Target
If GenericAll was used against an OU or GPO, inspect both the AD object and the downstream effect. The dangerous change may be inherited ACEs, a linked GPO, or modified policy content in SYSVOL.
Get-ADOrganizationalUnit -Identity 'OU=Servers,OU=OOTW Lab,DC=ootw,DC=local' -Properties nTSecurityDescriptor
Get-GPO -All | Where-Object DisplayName -like '*OOTW*'
Review SYSVOL changes from the DC:
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse |
Sort-Object LastWriteTime -Descending |
Select-Object -First 20 FullName,LastWriteTime
Remove Excessive Delegation
If GenericAll was intentionally assigned for the lab, remove it after the exercise. If it was discovered in an environment, treat it as a privilege escalation path and remove the delegation through change control.
dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
Events:
4670 - Permissions on an object were changed
4662 - Operation performed on object
4738 - User account changed
4742 - Computer account changed
4724 - Password reset
4728 / 4732 / 4756 - Group membership change
5136 - Directory object modified
4768 - PKINIT TGT after Shadow Credentials
High-fidelity indicators:
GenericAll granted to a non-admin principal
password reset shortly after a GenericAll edge becomes usable
group membership change performed by a delegated non-owner account
msDS-KeyCredentialLink written to a user or computer
msDS-AllowedToActOnBehalfOfOtherIdentity written to a workstation or server
GPO or SYSVOL content modified after an ACL change
Remediation:
- remove unnecessary GenericAll rights
- avoid broad Full Control delegation to operational groups
- prefer task-specific rights over GenericAll
- monitor sensitive users, groups, computers, OUs, and GPOs for DACL changes
- protect privileged objects from inherited ACL mistakes
- review BloodHound GenericAll edges regularly