Clément Notin  Dec 23, 2024

You know how some system AD attributes cannot be edited even when Domain Admin?
"Error 0x20B1 The attribute cannot be modified because it is owned by the system."
This can be bypassed using the schemaUpgradeInProgress modify operation https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a21db735-6025-4244-9cfe-6ce6582114a8 😉

Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0

⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects https://support.microsoft.com/en-us/topic/kb5040758-deleting-a-stale-corrupt-or-orphaned-trust-object-in-active-directory-a4995def-7b43-4f85-86dc-29a0c66323c9
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps

[MS-ADTS]: schemaUpgradeInProgress

This operation causes the fschemaUpgradeInProgress field of LDAPConnection instances in dc.LDAPConnections ([MS-DRSR]

Show threadAndrew Bartlett
@cnotin You can also use Samba, joining a Samba DC and edit the DB with the ldb* tools.
Dec 23, 2024 at 8:06pmWeb
Show threadClément Notin  Dec 23, 2024
@abartlet hi Andrew, I love what you do 😉
Oh that’s right I didn’t think about it. I guess it’s possible through a DCShadow attack which would be similar to