Isolate a DC - Part 6: Raise RID pool

This is Part 6 of a series on Active Directory Forest recovery, in today’s exciting adventure we raise your RID pools by 100k and invalidate the current RID pool.

Raise RID Pools Allocation

Resource Identifiers are handed out whenever you create objects you can assign security to, if you are knee deep in restoration of your forest, you’ll want to make sure you don’t accidentally grant access to something unexpectedly by re-using a list SID.

function raiseRIDPool($amount=100000){
    $domain = get-addomain
    $currentRidPool = get-adobject "CN=RID Manager$,CN=System,$($domain.DistinguishedName)" -properties rIDAvailablePool | select -expand rIDAvailablePool
    Write-verbose "RidPool is currently $currentRidPool will be raised to $($currentRidPool + $amount)"
    set-adobject "CN=RID Manager$,CN=System,$($domain.DistinguishedName)" -replace @{ridavailablePool=($currentRidPool + $amount)}
    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $DomainSid = $Domain.objectSid
    $RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
    $RootDSE.UsePropertyCache = $false
    Write-Verbose "Invalidating the rid pool for the current domain $($domain.name)"
    $RootDSE.Put("invalidateRidPool", $DomainSid.Value)
    $RootDSE.SetInfo() 
}

raiseRIDPoool

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice