Granting DCSync Rights - benlee105/DeliberateVulnADConfig GitHub Wiki

Overview of DCSync rights

  1. Articles online will state to look for "DS-Replication-Get-Changes" and "DS-Replication-Get-Changes-All" in BloodHound

  2. These correlate to "Replicating Directory Changes" and "Replicating Directory Changes All" permissions in AD.

image

  1. These permissions are used for DCSync! (https://www.alteredsecurity.com/post/a-primer-on-dcsync-attack-and-detection)
Granting DCSync rights
  1. In AD Server, launch Active Directory Users and Computers > right click your domain > Properties

image

  1. Click Security > Click Add

image

  1. Add the user you want to give DCSync rights to, then tick "Replicating Directory Changes" and "Replicating Directory Changes All"

image

⚠️ **GitHub.com Fallback** ⚠️