Improve SharpHound permissions documentation structure and cross-referencing #77

martinsohn · 2025-10-15T11:08:26Z

Improve SharpHound permissions documentation structure and cross-referencing
Restructured the SharpHound data collection permissions documentation to better connect the high-level permissions overview with detailed least-privileged collection configurations.

Key changes to permissions.mdx:

Added prominent note linking to least-privileged collection article
Standardized all sections with consistent "Collection Method", "Default Permissions", "Least-Privileged Option", and "Additional Data Source" headings
Enhanced User Rights Assignments section to explain URAs and reference CanRDP edge
Added security warning about Print Operators requiring User Rights Assignments removal
Improved introduction to emphasize importance of collecting all data types
Restructured Deleted Objects Container as "Additional Data Source" with proper cross-references
Standardized registry key formatting with consistent backticks and double backslashes
Improved cross-references throughout to guide users to detailed configuration steps

Key changes to least-privileged-collection.mdx:

Added detailed Deleted Objects container information with DN paths (moved from the permissions.mdx)
Added subheadings for better organization (Restricted Read Permissions, Deleted Objects Container)
Added link to CanRDP edge documentation in User Rights Assignments section
Restructured Registry section with configuration methods explained upfront
Added clear subheadings: CA Registry, DC Registry, NTLM Relay Registry Paths

Key changes to privileged-collection.mdx:

Added "registry" to list of privileged collection data types
Added cross-references to both permissions.mdx and least-privileged-collection.mdx

The documentation now provides a clearer division:

privileged-collection.mdx: Explains why privileged collection matters
permissions.mdx: User-friendly guidance on data types and high-level permission requirements
least-privileged-collection.mdx: Detailed technical configurations for implementing least-privileged collection

Fixed some 404 links that I found across the docs.

This touches the same file (permissions.mdx) as #58 by @JonasBK which is in draft, so it will end up conflicting. I suggest merging this PR first, as it's a much larger change to the docs, once then handling the small conflict once the other PR is ready to be merged.

Summary by CodeRabbit

Documentation
- Clarified permissions and collection pages with explicit Collection Method, Default/Required Permissions, and Least-Privileged Options.
- Expanded least-privileged guidance, registry-access delegation options, and added restricted-read guidance and role-specific registry path guidance.
- Noted registry data in privileged collection and linked related collection guidance.
- Fixed code-fence language to PowerShell, corrected multiple internal/external reference links, and fixed an "API key" typo.

…rencing Restructured the SharpHound data collection permissions documentation to better connect the high-level permissions overview with detailed least-privileged collection configurations. Key changes to permissions.mdx: - Added prominent note linking to least-privileged collection article - Standardized all sections with consistent "Collection Method", "Default Permissions", "Least-Privileged Option", and "Additional Data Source" headings - Enhanced User Rights Assignments section to explain URAs and reference CanRDP edge - Added security warning about Print Operators requiring User Rights Assignments removal - Improved introduction to emphasize importance of collecting all data types - Restructured Deleted Objects Container as "Additional Data Source" with proper cross-references - Standardized registry key formatting with consistent backticks and double backslashes - Improved cross-references throughout to guide users to detailed configuration steps Key changes to least-privileged-collection.mdx: - Added detailed Deleted Objects container information with DN paths (moved from the permissions.mdx) - Added subheadings for better organization (Restricted Read Permissions, Deleted Objects Container) - Added link to CanRDP edge documentation in User Rights Assignments section - Restructured Registry section with configuration methods explained upfront - Added clear subheadings: CA Registry, DC Registry, NTLM Relay Registry Paths Key changes to privileged-collection.mdx: - Added "registry" to list of privileged collection data types - Added cross-references to both permissions.mdx and least-privileged-collection.mdx The documentation now provides a clearer division: - privileged-collection.mdx: Explains why privileged collection matters - permissions.mdx: User-friendly guidance on data types and high-level permission requirements - least-privileged-collection.mdx: Detailed technical configurations for implementing least-privileged collection

coderabbitai · 2025-10-15T11:08:52Z

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between 63f3c36 and f426631.

📒 Files selected for processing (1)

docs/opengraph/best-practices.mdx (2 hunks)

 _________________________________________________________________________
< Performing code review exorcisms to the eerie strains of Tubular Bells. >
 -------------------------------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

Walkthrough

Documentation-only updates across many guidance pages: normalized internal links (removed .mdx extensions, added trailing slashes), updated reference URLs (MITRE, external articles), restructured and expanded least-privileged/permissions guidance (registry, AD CS, DC specifics), and changed two code-fence languages to powershell. No runtime/code changes.

Changes

Cohort / File(s)	Summary of Changes
Permissions & Least-Privileged Restructure `docs/collect-data/permissions.mdx`, `docs/collect-data/enterprise-collection/least-privileged-collection.mdx`, `docs/collect-data/enterprise-collection/privileged-collection.mdx`	Reorganized sections with explicit "Collection Method"/"Default/Required Permissions"/"Least-Privileged Option" fields; added registry path guidance (CA/DC/NTLM relay), Restricted Read Permissions, optional Deleted Objects container, and updated wording/inline code formatting across sections.
Code Block Language Update `docs/collect-data/enterprise-collection/data-retention.mdx`	Changed two code-fence language tags from `json` to `powershell` in the Active Directory recycle bin section; commands unchanged.
gMSA & OpenGraph Link Normalization `docs/collect-data/ce-collection/create-gmsa-community-edition.mdx`, `docs/install-data-collector/install-sharphound/create-gmsa.mdx`, `docs/opengraph/best-practices.mdx`	Normalized internal links (removed `.mdx` extensions), fixed typo "AP key" → "API key", and adjusted bearer-token anchor slug/links.
Edge Reference Link Adjustments `docs/resources/edges/adcs-esc10a.mdx`, `docs/resources/edges/adcs-esc10b.mdx`, `docs/resources/edges/adcs-esc9a.mdx`, `docs/resources/edges/adcs-esc9b.mdx`, `docs/resources/edges/admin-to.mdx`, `docs/resources/edges/execute-dcom.mdx`, `docs/resources/edges/has-session.mdx`, `docs/resources/edges/has-trust-keys.mdx`	Updated reference URLs: added trailing slashes to `Set-DomainObject` links, replaced MITRE technique/tactic links with new slugs, and corrected an external article URL. No behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

BHCS317-Update-Permissions-Article #15 — Related edits to SharpHound permissions/data link targets and references across docs.
Least-Privileged SharpHound collection + fixes #67 — Overlapping restructuring and additions to least-privileged/permissions guidance.
BHCS-488-added-reference-servicehound #14 — Related link normalization and SharpHound reference updates in collect-data docs.

Suggested labels

documentation

Suggested reviewers

jeff-matthews
Scoubi
StephenHinck

Poem

I nibble links and tidy trails,
.mdx falls off my bunny scales.
I hop through registries, tidy rights,
MITRE stars guide gentle nights.
A twitch, a thump — docs neat and bright. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly summarizes the primary change in this pull request by describing the improvement of SharpHound permissions documentation structure and cross-referencing, which aligns directly with the extensive reorganization and link updates across the changed files. It is concise and specific, using imperative phrasing without unrelated details. A teammate scanning the history will immediately understand that the focus is on enhancing documentation structure and internal linking for SharpHound permissions.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/opengraph/best-practices.mdx (2)

53-53: Typo: “AP key” → “API key”

Apply this diff:

-        - Requires an [AP key](/integrations/bloodhound-api/working-with-api#authentication)
+        - Requires an [API key](/integrations/bloodhound-api/working-with-api#authentication)

61-61: Fix broken anchor in docs/opengraph/best-practices.mdx

- You can use a [Bearer Token](/integrations/bloodhound-api/working-with-api#use-a-jwt%2Fbearer-token) instead of API key as this script will typically run only once.
+ You can use a [Bearer Token](/integrations/bloodhound-api/working-with-api#use-a-jwt-bearer-token) instead of API key as this script will typically run only once.

docs/collect-data/enterprise-collection/privileged-collection.mdx (1)

16-16: Fix contraction.

“lets” → “let’s”.

- Based on this view, the tree of Attack Paths on the left would present the greatest risk to this environment, now lets collect Local Group membership information from the domain:
+ Based on this view, the tree of Attack Paths on the left would present the greatest risk to this environment; now let's collect Local Group membership information from the domain:

🧹 Nitpick comments (8)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (2)
26-29: Use “Distinguished Name (DN)” in prose.

Improve readability by spacing “DistinguishedName.”
-* Domain NC Deleted Objects DistinguishedName (DN): `CN=Deleted Objects,<Domain DN>`
-* Configuration NC Deleted Objects DistinguishedName (DN): `CN=Deleted Objects,CN=Configuration,<Forest root domain DN>`
+* Domain NC Deleted Objects Distinguished Name (DN): `CN=Deleted Objects,<Domain DN>`
+* Configuration NC Deleted Objects Distinguished Name (DN): `CN=Deleted Objects,CN=Configuration,<forest root domain DN>`
89-94: Call out Remote Registry service requirement.

Readers may miss that exceptions only work if the Remote Registry service is running.
 By default, only Administrators may read the registry remotely. There are two methods to delegate remote registry access for least-privileged collection:
+
+<Note>The Remote Registry service must be running on target hosts for either method to work.</Note>
docs/collect-data/permissions.mdx (3)
17-25: Add NTLM Relay registry paths for discoverability.

Mention NTLM relay registry paths alongside DC/CA registry to align with least‑priv doc.
 * [Certificate Services](/collect-data/permissions#certificate-services)
 * [DC Registry](/collect-data/permissions#dc-registry)
 * [CA Registry](/collect-data/permissions#ca-registry)
+* [NTLM Relay Registry Paths](/collect-data/enterprise-collection/least-privileged-collection#ntlm-relay-registry-paths)
72-72: Tighten wording.

“prior to” → “before”.
-... edge, whereas prior to SharpHound Common v3, BloodHound made assumptions ...
+... edge, whereas before SharpHound Common v3, BloodHound made assumptions ...
145-145: Minor grammar.

Add article for clarity.
-... see [Least-Privileged Collection - CA Registry](/collect-data/enterprise-collection/least-privileged-collection#ca-registry) for explanation of why this is accessible.
+... see [Least‑Privileged Collection – CA Registry](/collect-data/enterprise-collection/least-privileged-collection#ca-registry) for an explanation of why this is accessible.
docs/resources/edges/execute-dcom.mdx (1)

55-55: MITRE mapping LGTM; consider adding TA0008 for consistency.

T1021.003 fits DCOM. Optionally add a tactic link to TA0008 in References to align with other edges.

docs/resources/edges/admin-to.mdx (1)

51-51: Use trailing slash for consistency.

Change to https://attack.mitre.org/tactics/TA0008/ to match other MITRE links’ style in the repo.

docs/resources/edges/has-session.mdx (1)

45-50: Standardize MITRE link formatting.

Add trailing slash to TA0006 to align with T1134 and other pages: https://attack.mitre.org/tactics/TA0006/

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b8f333f and e19753f.

📒 Files selected for processing (15)

docs/collect-data/ce-collection/create-gmsa-community-edition.mdx (1 hunks)
docs/collect-data/enterprise-collection/data-retention.mdx (1 hunks)
docs/collect-data/enterprise-collection/least-privileged-collection.mdx (3 hunks)
docs/collect-data/enterprise-collection/privileged-collection.mdx (2 hunks)
docs/collect-data/permissions.mdx (4 hunks)
docs/install-data-collector/install-sharphound/create-gmsa.mdx (1 hunks)
docs/opengraph/best-practices.mdx (1 hunks)
docs/resources/edges/adcs-esc10a.mdx (1 hunks)
docs/resources/edges/adcs-esc10b.mdx (1 hunks)
docs/resources/edges/adcs-esc9a.mdx (1 hunks)
docs/resources/edges/adcs-esc9b.mdx (1 hunks)
docs/resources/edges/admin-to.mdx (1 hunks)
docs/resources/edges/execute-dcom.mdx (1 hunks)
docs/resources/edges/has-session.mdx (1 hunks)
docs/resources/edges/has-trust-keys.mdx (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/collect-data/permissions.mdx
docs/collect-data/enterprise-collection/least-privileged-collection.mdx

🪛 LanguageTool

docs/collect-data/permissions.mdx

[style] ~72-~72: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: .../resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made a...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

[grammar] ~92-~92: There might be a mistake here.
Context: ...s function. Least-Privileged Options: * On Windows Server operating systems, mem...

(QB_NEW_EN)

[style] ~98-~98: Try moving the adverb to make the sentence clearer.
Context: ...nfiguration instructions, including how to safely configure Print Operators, see [Least-Privileged Collection - Ses...

(SPLIT_INFINITIVE)

[grammar] ~133-~133: There might be a mistake here.
Context: ... restrictions are configured by default. * Security Contains the security des...

(QB_NEW_EN)

[grammar] ~145-~145: There might be a mistake here.
Context: ...east-privileged-collection#ca-registry) for explanation of why this is accessible. ...

(QB_NEW_EN)

docs/collect-data/enterprise-collection/privileged-collection.mdx

[grammar] ~30-~30: There might be a mistake here.
Context: ...ng this data via least-privilege access.

(QB_NEW_EN)

docs/resources/edges/has-session.mdx

[grammar] ~49-~49: There might be a mistake here.
Context: ...xfiltration/Invoke-TokenManipulation.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1) * [https://attack.mitre.org/techniques/T113...

(QB_NEW_EN)

docs/resources/edges/has-trust-keys.mdx

[grammar] ~68-~68: There might be a mistake here.
Context: ...alculating Kerberos Keys for AD Accounts](https://snovvcra.sh/2021/05/21/calculating-kerberos-keys.html)

[Rubeus GitHub](https://github.com/GhostP...

(QB_NEW_EN)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

[grammar] ~26-~26: There might be a mistake here.
Context: ...Deleted Objects container locations are: * Domain NC Deleted Objects DistinguishedN...

(QB_NEW_EN)

[grammar] ~27-~27: There might be a mistake here.
Context: ...Deleted Objects DistinguishedName (DN): CN=Deleted Objects,<Domain DN> * Configuration NC Deleted Objects Disting...

(QB_NEW_EN)

🔇 Additional comments (8)

docs/collect-data/ce-collection/create-gmsa-community-edition.mdx (1)

32-32: Good link update to extensionless path.
Matches routing style; omit trailing slash unless site config requires it to avoid extra redirects.

docs/install-data-collector/install-sharphound/create-gmsa.mdx (1)

11-11: Link normalization confirmed: No .mdx links remain; /collect-data/ce-collection/create-gmsa-community-edition exists, and with default trailingSlash: false, extensionless URLs resolve correctly without trailing slashes.

docs/opengraph/best-practices.mdx (1)

11-11: Approve internal doc link
docs/opengraph/library.mdx exists; omitting .mdx is consistent with existing links.

docs/collect-data/enterprise-collection/data-retention.mdx (1)

48-51: Code fence language is correct.

PowerShell fences match the commands. LGTM.

Also applies to: 54-58

docs/resources/edges/adcs-esc10a.mdx (1)

196-196: URL normalization LGTM.

Trailing slash addition matches the repo’s convention.

docs/resources/edges/adcs-esc10b.mdx (1)

202-202: URL normalization LGTM.

Consistent with related edge docs.

docs/resources/edges/adcs-esc9a.mdx (1)

169-169: URL normalization LGTM.

Matches the updated convention elsewhere in the PR.

docs/resources/edges/adcs-esc9b.mdx (1)

186-186: URL normalization LGTM.

Consistent with related updates.

docs/collect-data/enterprise-collection/privileged-collection.mdx

docs/resources/edges/has-trust-keys.mdx

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

docs/collect-data/enterprise-collection/privileged-collection.mdx (1)
30-30: Fix the permissions link path (404) and add the missing comma.

Everywhere else in the docs (including earlier in this file) the permissions page lives at /collect-data/permissions. Pointing this sentence at /docs/collect-data/permissions generates a 404 in production. While you’re here, add the comma after the introductory clause for readability.
-For details on what data types can be collected see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.
+For details on what data types can be collected, see [SharpHound Data Collection and Permissions](/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e19753f and dc34c7d.

📒 Files selected for processing (4)

docs/collect-data/enterprise-collection/privileged-collection.mdx (2 hunks)
docs/collect-data/permissions.mdx (4 hunks)
docs/opengraph/best-practices.mdx (2 hunks)
docs/resources/edges/has-trust-keys.mdx (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/collect-data/permissions.mdx

🪛 LanguageTool

docs/collect-data/permissions.mdx

[style] ~72-~72: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: .../resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made a...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

[grammar] ~92-~92: There might be a mistake here.
Context: ...s function. Least-Privileged Options: * On Windows Server operating systems, mem...

(QB_NEW_EN)

[style] ~98-~98: Try moving the adverb to make the sentence clearer.
Context: ...nfiguration instructions, including how to safely configure Print Operators, see [Least-Privileged Collection - Ses...

(SPLIT_INFINITIVE)

[grammar] ~133-~133: There might be a mistake here.
Context: ... restrictions are configured by default. * Security Contains the security des...

(QB_NEW_EN)

docs/resources/edges/has-trust-keys.mdx

[grammar] ~68-~68: There might be a mistake here.
Context: ...alculating Kerberos Keys for AD Accounts](https://snovvcra.sh/2021/05/21/calculating-kerberos-keys.html)

[Rubeus GitHub](https://github.com/GhostP...

(QB_NEW_EN)

docs/opengraph/best-practices.mdx

[grammar] ~55-~55: There might be a mistake here.
Context: ...ation) 1. Cypher Queries "Starter Pack" - Cypher Queries to help new users explore...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...ith-api#use-a-jwt-bearer-token) instead of API key as this script will typically r...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...his script will typically run only once. - Do not hardcode credentials; use place h...

(QB_NEW_EN)

docs/collect-data/enterprise-collection/privileged-collection.mdx

[grammar] ~30-~30: There might be a mistake here.
Context: ...ng this data via least-privilege access.

(QB_NEW_EN)

🔇 Additional comments (1)

docs/resources/edges/has-trust-keys.mdx (1)

30-30: Canonical URL aligned.

Thanks for updating both references to the snovvcra.sh endpoint—the canonical article is now linked consistently throughout the page.

Also applies to: 68-68

docs/opengraph/best-practices.mdx

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc34c7d and 0b2c217.

📒 Files selected for processing (1)

docs/opengraph/best-practices.mdx (2 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/opengraph/best-practices.mdx

[grammar] ~55-~55: There might be a mistake here.
Context: ...ation) 1. Cypher Queries "Starter Pack" - Cypher Queries to help new users explore...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...ith-api#use-a-jwt-bearer-token) instead of API key as this script will typically r...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...his script will typically run only once. - Do not hardcode credentials; use place h...

(QB_NEW_EN)

docs/opengraph/best-practices.mdx

jeff-matthews

Thank you for the contribution @martinsohn! I did an editorial review and suggested some minor edits.

@StephenHinck, deferring to you on final approval to merge.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

jeff-matthews · 2025-10-15T19:41:44Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

+By default, only Administrators may read the registry remotely. There are two methods to delegate remote registry access for least-privileged collection:

-By default, only Administrators may read the registry remotely on domain controllers. A similar exception can be created on DCs by adding the required DC registry paths to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths` using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths). This will create an exception to the Remote Registry named pipe on the DC allowing Authenticated Users to read those exact key paths, as long as the user also is granted permissions on the registry key DACL as well.
+1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry keys.


Suggested change

1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry keys.

1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Permissions on individual registry keys still govern effective access.

jeff-matthews · 2025-10-15T19:43:19Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

+1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry keys.

-The registry paths for NTLM relay edges are also only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths as well. This will grant Authenticated Users the ability to connect to the Remote Registry named pipe at those specific registry paths.
+2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed via permissions configured on individual registry keys.


Suggested change

2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed via permissions configured on individual registry keys.

2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Permissions on individual registry keys still govern effective access.```

jeff-matthews · 2025-10-15T19:50:12Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

+
+### NTLM Relay Registry Paths
+
+The registry paths for NTLM relay edges are located on all Windows hosts and are only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths using the same method described above.


Suggested change

The registry paths for NTLM relay edges are located on all Windows hosts and are only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths using the same method described above.

Registry paths for NTLM relay edges exist on all Windows hosts. By default, only Administrators can access these paths remotely. To enable least-privileged collection, use Group Policy to add these specific paths to AllowedExactPaths. This grants Authenticated Users remote read access, following the same method described above.

jeff-matthews · 2025-10-15T19:51:05Z

docs/collect-data/enterprise-collection/privileged-collection.mdx

 </Frame>

-See [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.
+For details on what data types can be collected see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.


Suggested change

For details on what data types can be collected see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.

For details on what data types can be collected, see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.

jeff-matthews · 2025-10-15T19:56:32Z

docs/collect-data/permissions.mdx

 * [CA Registry](/collect-data/permissions#ca-registry)

-Local Groups and Sessions can only be collected from domain-joined Windows systems, and require privileged collection to be configured, see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection). This collection helps understand Attack Paths to individual systems based on non-centralized configurations.
+It is important to have as much visibility as possible, so collecting all data types is recommended. Local Group Memberships and Sessions are especially important as they enable understanding Attack Paths to individual systems based on non-centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).


Suggested change

It is important to have as much visibility as possible, so collecting all data types is recommended. Local Group Memberships and Sessions are especially important as they enable understanding Attack Paths to individual systems based on non-centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).

SpecterOps recommends collecting all data types because it provides maximum visibility into your environment. Local Group Memberships and Sessions are especially important, as they reveal Attack Paths to individual systems based on non-centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).

jeff-matthews · 2025-10-15T20:00:26Z

docs/collect-data/permissions.mdx

 ## User Rights Assignments

-Prior to SharpHound Common v3, BloodHound made assumptions about group membership and Attack Paths. For example, BloodHound would assume that membership in the Remote Desktop Users group on its own gives users the ability to utilize Remote Desktop to access a system. The reality of necessary permissions is more complex, and understanding that access requires analysis of User Rights Assignments within Windows.
+User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the Remote Desktop Users group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the Remote Desktop Users group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.


Suggested change

User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the Remote Desktop Users group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the Remote Desktop Users group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.

User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge. Before SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the Remote Desktop Users group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the Remote Desktop Users group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.

Scoubi

I left a few comments on style and a few typos.

Scoubi · 2025-10-15T19:59:33Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

-Permissions to read the Deleted Objects container (optional) may be delegated to a group and the SharpHound collector service account made a member of that group.
+### Deleted Objects Container (Optional)
+
+SharpHound can read the contents of the Deleted Objects container (also known as the AD Recycle Bin). Collecting deleted objects affects data retention behavior in BloodHound Enterprise—see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details on how this impacts retention periods.


I think it should read "SharpHound can read the content of"
No s for content

Also, "Enterprise—see" should probably be "Enterprise. See"

Scoubi · 2025-10-15T20:06:08Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

 SharpHound collects registry data for both certificate services and NTLM relay edges. The certificate services registry paths are on certificate authorities and domain controllers. NTLM relay paths are located on all Windows hosts.

-When the AD CS role is installed in Windows, the `HKLM\SYSTEM\CurrentControlSet\Services\CertSvc` registry path is added to the `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths`. This creates a remote registry exception that allows Authenticated Users to query any keys and subkeys in this path, as long as they also are granted rights to read the key.
+By default, only Administrators may read the registry remotely. There are two methods to delegate remote registry access for least-privileged collection:


We might want to change for Administrators to emphasis that it's a group or add "group" specifically.

Scoubi · 2025-10-15T20:07:12Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

+By default, only Administrators may read the registry remotely. There are two methods to delegate remote registry access for least-privileged collection:

-By default, only Administrators may read the registry remotely on domain controllers. A similar exception can be created on DCs by adding the required DC registry paths to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths` using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths). This will create an exception to the Remote Registry named pipe on the DC allowing Authenticated Users to read those exact key paths, as long as the user also is granted permissions on the registry key DACL as well.
+1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry keys.


Should be "individual registry key" (no s)

Scoubi · 2025-10-15T20:12:55Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

+1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow Authenticated Users to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry keys.

-The registry paths for NTLM relay edges are also only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths as well. This will grant Authenticated Users the ability to connect to the Remote Registry named pipe at those specific registry paths.
+2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed via permissions configured on individual registry keys.


Change for "registry key"

Scoubi · 2025-10-15T20:14:48Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

-Alternatively, if creating exceptions via `AllowedExactPaths` or `AllowedPaths` is not acceptable in your organization, it is also possible to modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals to connect to the named pipe with read permissions to the entire registry collection.  Effective access is still governed via permissions configured on individual registry keys.
+### CA Registry
+
+When the AD CS role is installed in Windows, the `HKLM\SYSTEM\CurrentControlSet\Services\CertSvc` registry path is automatically added to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths`. This creates a remote registry exception that allows Authenticated Users to query any keys and subkeys in this path, as long as they also are granted rights to read the key. Therefore, CA registry data is accessible to Authenticated Users by default when AD CS is installed.


I would change for Authenticated Users to make it obvious it's a group.

Scoubi · 2025-10-15T21:15:26Z

docs/collect-data/permissions.mdx

+**Required Permissions:** Only Local Administrators may call the LsaOpenPolicy function.

-Collecting information about User Rights Assignments requires analyzing LSA Policy on each domain-joined system utilizing the LsaOpenPolicy function. Only Local Administrators may call the LsaOpenPolicy function.
+**Least-Privileged Option:** There is no known way to delegate this permission for least-privileged collection. See [Least-Privileged Collection - User Rights Assignments](/collect-data/enterprise-collection/least-privileged-collection#user-rights-assignments) for more details on the implications.


"There is no known way to" this sounds weird.
I think we should rephrase, but I don't have a good suggestion for you.

"There is currently no known method to delegate this permission for least-privileged collection"

Scoubi · 2025-10-15T21:16:54Z

docs/collect-data/permissions.mdx

+* On Windows Server operating systems, members of the local Print Operators group may also collect session data
+* Windows desktop operating systems do not have a local Print Operators group and require alternate approaches
+
+<Warning>When using Print Operators for collection, you should remove dangerous default User Rights Assignments (SeInteractiveLogonRight, SeLoadDriverPrivilege, SeShutdownPrivilege) from this group to prevent privilege escalation on DCs.</Warning>


We could consider using backticks for all the rights throughout the PR.

Scoubi · 2025-10-15T21:17:42Z

docs/collect-data/permissions.mdx

+**Collection Method:** SharpHound collects this information utilizing signed LDAP queries against a domain controller in the domain.

-By default, any Authenticated User can enumerate almost all Certificate Services data utilized by BloodHound Enterprise.
+**Default Permissions:** By default, any Authenticated User can enumerate almost all Certificate Services data utilized by BloodHound Enterprise.


Use Authenticated Users

Scoubi · 2025-10-15T21:19:12Z

docs/collect-data/permissions.mdx

-Collecting these registry key values requires membership of Administrators on the DCs by default. Least-privilege delegation is possible via Group Policy or registry modifications.
+**Collection Method:** SharpHound collects these registry key values via remote registry access.
+
+**Default Permissions:** Collecting these registry key values requires membership of Administrators on the DCs by default.


use Adminstrators

Scoubi · 2025-10-15T21:21:50Z

docs/opengraph/best-practices.mdx

 # Introduction

-This page collects best practices for creating [graph extensions](./library.mdx) and tooling for OpenGraph.
+This page collects best practices for creating [graph extensions](./library) and tooling for OpenGraph.


i think we should capitalize Graph Extensions

…ction.mdx Co-authored-by: Jeff Matthews <[email protected]>

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (3)

docs/opengraph/best-practices.mdx (1)

61-61: Add the missing article before “API key”.

The sentence still reads “instead of API key.” Please update it to “instead of an API key” for correct grammar.
-        - You can use a [Bearer Token](/integrations/bloodhound-api/working-with-api#use-a-jwt-bearer-token) instead of API key as this script will typically run only once.
+        - You can use a [Bearer Token](/integrations/bloodhound-api/working-with-api#use-a-jwt-bearer-token) instead of an API key as this script will typically run only once.

docs/collect-data/permissions.mdx (1)

26-26: Prefer “visibility” and tighten wording.

Minor phrasing improvement for clarity.

-It is important to have as much visibility as possible, so collecting all data types is recommended. Local Group Memberships and Sessions are especially important as they enable understanding Attack Paths to individual systems based on non-centralized configurations, see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).
+It is important to have as much visibility as possible, so collecting all data types is recommended. Local Group Memberships and Sessions are especially important as they provide visibility into Attack Paths to individual systems based on non‑centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).

docs/collect-data/enterprise-collection/privileged-collection.mdx (1)

30-30: Absolute link OK; hyphenate “least‑privileged” and add period.

Consistency and punctuation.

-For details on what data types can be collected see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions). For information on collecting this data via least-privilege access see [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) 
+For details on what data types can be collected, see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions). For information on collecting this data via least‑privileged access, see [Least‑Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection).

🧹 Nitpick comments (9)

docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx (1)

30-30: Pluralize “permission” and clarify either/or phrasing.

Use plural and make the options explicit.

-    * Each service account must have collection permission on all systems in the service account's tier - local `Administrators` group membership or [Least-Privileged Collection](/collect-data/enterprise-collection/least-privileged-collection) permissions.
+    * Each service account must have collection permissions on all systems in the service account's tier—either local `Administrators` group membership or the permissions described in [Least‑Privileged Collection](/collect-data/enterprise-collection/least-privileged-collection).

docs/collect-data/permissions.mdx (3)

29-29: Name the group precisely.

Use the proper group name and minor wording tweak.

-<Warning>The SharpHound collection service account does not require `Domain Admin` membership. While adding the account to local `Administrators` groups on domain computers will work, we recommend following the articles [Least-Privileged Collection](/collect-data/enterprise-collection/least-privileged-collection) and [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Warning>
+<Warning>The SharpHound collection service account does not require membership in `Domain Admins`. While adding the account to local `Administrators` groups on domain computers will work, we recommend following [Least‑Privileged Collection](/collect-data/enterprise-collection/least-privileged-collection) and [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Warning>

73-73: Split long sentence; add backticks; replace “prior to.”

Improves readability and consistency.

-User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the Remote Desktop Users group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the Remote Desktop Users group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.
+User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge. Before SharpHound Common v3, BloodHound assumed that membership in the `Remote Desktop Users` group alone gives users the ability to RDP to a system. In reality, a user needs both membership in `Remote Desktop Users` and the URA `SeRemoteInteractiveLogonRight`.

93-96: Punctuate bullets consistently.

End list items with periods for consistency.

-* On Windows Server operating systems, members of the local `Print Operators` group may also collect session data
-* Windows desktop operating systems do not have a local `Print Operators` group and require alternate approaches
+* On Windows Server operating systems, members of the local `Print Operators` group may also collect session data.
+* Windows desktop operating systems do not have a local `Print Operators` group and require alternate approaches.

docs/collect-data/enterprise-collection/privileged-collection.mdx (1)

7-7: Tighten list phrasing.

Use “such as” to introduce examples and remove awkward comma.

-Privileged collection allows BloodHound to analyze Attack Paths based on non-centralized configurations, the local groups, active sessions, registry, and user rights assignments configured on each domain-joined system in your environment.
+Privileged collection allows BloodHound to analyze Attack Paths based on non‑centralized configurations, such as local groups, active sessions, registry data, and user rights assignments configured on each domain‑joined system in your environment.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (4)

8-11: Fix grammar and add comma.

Tighten intro and recommendation phrasing.

-Privileged collection allows BloodHound to analyze Attack Paths based on non-centralized configurations using privileged administrative credentials, similar to performing a privileged vulnerability scan. Least-privileged collection accomplishes these goals without using default administrative privileges to perform the collection. With some additional configuration SharpHound can collect the local groups, active sessions, and registry keys without adding any SharpHound collection service accounts to Domain Admins.
+Privileged collection allows BloodHound to analyze Attack Paths based on non‑centralized configurations using privileged administrative credentials, similar to a privileged vulnerability scan. Least‑privileged collection accomplishes these goals without using default administrative privileges. With some additional configuration, SharpHound can collect local groups, active sessions, and registry keys without adding any SharpHound collection service accounts to `Domain Admins`.
-
-<Note>We also recommend to follow the article [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Note>
+<Note>We also recommend following [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Note>

37-38: Backtick well-known groups and clarify subject.

Use group names and backticks consistently.

-By default, on currently supported Windows operating systems, only `Administrators` on the device(s) being collected have this right on Windows clients and member servers.  For compatibility purposes, Everyone is granted this right on domain controllers by default.
+By default, on currently supported Windows operating systems, only members of the local `Administrators` group on the device(s) being collected have this right on Windows clients and member servers. For compatibility purposes, `Everyone` is granted this right on domain controllers by default.

89-94: Add article for “individual registry key” and minor clarity.

Grammar and consistency.

-1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow `Authenticated Users` to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on individual registry key.
+1. **AllowedPaths / AllowedExactPaths exceptions**: Create exceptions using the GPO setting [Network access: Remotely accessible registry paths](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths) to allow `Authenticated Users` to connect to the Remote Registry named pipe at specific registry paths. Effective access is still governed by permissions on the individual registry key.
 
-2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed via permissions configured on individual registry key.
+2. **Modify Remote Registry named pipe security descriptor**: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed by permissions configured on the individual registry key.

101-106: Tighten “as long as” clauses for DC/CA registry notes.

Shorten and clarify permission caveat.

-When the AD CS role is installed in Windows, the `HKLM\SYSTEM\CurrentControlSet\Services\CertSvc` registry path is automatically added to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths`. This creates a remote registry exception that allows `Authenticated Users` to query any keys and subkeys in this path, as long as they also are granted rights to read the key. Therefore, CA registry data is accessible to `Authenticated Users` by default when AD CS is installed.
+When the AD CS role is installed in Windows, the `HKLM\SYSTEM\CurrentControlSet\Services\CertSvc` registry path is automatically added to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths`. This creates a remote registry exception that allows `Authenticated Users` to query keys and subkeys in this path, provided they also have read permission on the registry key DACL. Therefore, CA registry data is accessible to `Authenticated Users` by default when AD CS is installed.
@@
-For domain controllers, you can create exceptions by adding the required DC registry paths to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths` using the GPO setting mentioned above. This will create an exception to the Remote Registry named pipe on the DC allowing `Authenticated Users` to read those exact key paths, as long as they also are granted permissions on the registry key DACL.
+For domain controllers, you can create exceptions by adding the required DC registry paths to `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths` using the GPO setting mentioned above. This creates a Remote Registry exception allowing `Authenticated Users` to read those exact key paths, provided they also have read permission on the registry key DACL.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0b2c217 and 3319c8e.

📒 Files selected for processing (5)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (3 hunks)
docs/collect-data/enterprise-collection/privileged-collection.mdx (2 hunks)
docs/collect-data/permissions.mdx (4 hunks)
docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx (1 hunks)
docs/opengraph/best-practices.mdx (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx
docs/collect-data/enterprise-collection/least-privileged-collection.mdx
docs/collect-data/permissions.mdx

🪛 LanguageTool

docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx

[grammar] ~30-~30: There might be a mistake here.
Context: ...east-privileged-collection) permissions. * Each service account is recommended to b...

(QB_NEW_EN)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

[grammar] ~26-~26: There might be a mistake here.
Context: ...Deleted Objects container locations are: * Domain NC Deleted Objects DistinguishedN...

(QB_NEW_EN)

[grammar] ~27-~27: There might be a mistake here.
Context: ...Deleted Objects DistinguishedName (DN): CN=Deleted Objects,<Domain DN> * Configuration NC Deleted Objects Disting...

(QB_NEW_EN)

docs/collect-data/permissions.mdx

[style] ~73-~73: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: .../resources/edges/can-rdp) edge, whereas prior to SharpHound Common v3, BloodHound made a...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

[grammar] ~93-~93: There might be a mistake here.
Context: ...s function. Least-Privileged Options: * On Windows Server operating systems, mem...

(QB_NEW_EN)

[grammar] ~134-~134: There might be a mistake here.
Context: ... restrictions are configured by default. * Security Contains the security des...

(QB_NEW_EN)

docs/opengraph/best-practices.mdx

[grammar] ~55-~55: There might be a mistake here.
Context: ...ation) 1. Cypher Queries "Starter Pack" - Cypher Queries to help new users explore...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...ith-api#use-a-jwt-bearer-token) instead of API key as this script will typically r...

(QB_NEW_EN)

[grammar] ~61-~61: There might be a mistake here.
Context: ...his script will typically run only once. - Do not hardcode credentials; use place h...

(QB_NEW_EN)

🔇 Additional comments (6)

docs/collect-data/permissions.mdx (6)

48-52: LGTM: AD Structure Data section.

Method, defaults, and optional source are accurate and clearly linked.

65-69: LGTM: Local Group Membership collection details.

Accurate method and default permissions; least‑privileged pointer is helpful.

77-81: LGTM: URA collection method and limitations.

Accurate API reference and least‑privileged limitation statement.

111-115: LGTM: Certificate Services collection.

Clear method/defaults and good cross‑references.

119-127: LGTM: DC Registry description and permissions.

Accurate keys and ESC mapping; least‑privileged link provided.

144-146: No issues found — Authenticated Users default access claim is verified accurate.

The statement is correct per Microsoft's MS-CSRA specification and AD CS documentation: Authenticated Users have Enroll permissions (including read/list) on Enterprise CA registry keys by default across supported Windows Server versions (2003 and later). The docs are accurate and require no changes.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (1)

49-51: Fix API names and remove stray code‑fence (breaks MDX rendering).

Use correct Windows API capitalization; drop the trailing ```; normalize “user rights” casing.

-Only `Administrators` can perform the `LSAOpenPolicy` and `LSAEnumerateAccountsWithUserRights` function calls necessary to collect User Rights Assignments directly from a remote host. There is no known way around this limitation.
-
-Currently, not collecting User Rights Assignments may cause inaccurate CanRDP edges. In the future, SharpHound may collect additional User Rights to identify more attack paths```
+Only `Administrators` can perform the `LsaOpenPolicy` and `LsaEnumerateAccountsWithUserRights` function calls necessary to collect user rights assignments directly from a remote host. There is no known way around this limitation.
+
+Currently, not collecting user rights assignments may cause inaccurate CanRDP edges. In the future, SharpHound may collect additional user rights to identify more attack paths.

🧹 Nitpick comments (13)

docs/collect-data/enterprise-collection/privileged-collection.mdx (2)

7-7: Tighten list phrasing for clarity.

Use a colon and remove the extra article.

-Privileged collection allows BloodHound to analyze Attack Paths based on non-centralized configurations, the local groups, active sessions, registry, and user rights assignments configured on each domain-joined system in your environment.
+Privileged collection allows BloodHound to analyze Attack Paths based on non‑centralized configurations: local groups, active sessions, registry, and user rights assignments configured on each domain‑joined system.

30-30: Use “least‑privileged” (adjectival form).

Hyphenation consistency across docs.

-... for information on collecting this data via least-privilege access.
+... for information on collecting this data via least‑privileged access.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (7)

8-8: Minor grammar polish.

-... With some additional configuration SharpHound can collect the local groups, active sessions, and registry keys ...
+... With some additional configuration, SharpHound can collect local groups, active sessions, and registry keys ...

10-10: Fix verb form.

-<Note>We also recommend to follow the article [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Note>
+<Note>We also recommend following the article [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening).</Note>

22-23: Avoid comma splice.

Split into two sentences.

-SharpHound can read the content of the Deleted Objects container (also known as the AD Recycle Bin). Collecting deleted objects affects data retention behavior in BloodHound Enterprise, see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details on how this impacts retention periods.
+SharpHound can read the content of the Deleted Objects container (also known as the AD Recycle Bin). Collecting deleted objects affects data retention behavior in BloodHound Enterprise. See [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details on how this impacts retention periods.

37-38: Consistent code formatting for well‑known groups; tighten wording.

-By default, on currently supported Windows operating systems, only `Administrators` on the device(s) being collected have this right on Windows clients and member servers.  For compatibility purposes, Everyone is granted this right on domain controllers by default.
+By default, on currently supported Windows operating systems, only `Administrators` on the device(s) being collected have this right on Windows clients and member servers. For compatibility purposes, `Everyone` is granted this right on domain controllers.

75-75: Code‑format group name.

-... a service account that is a member of Domain Admins is strongly discouraged.
+... a service account that is a member of `Domain Admins` is strongly discouraged.

105-105: Clarify DACL phrasing.

-... allowing `Authenticated Users` to read those exact key paths, as long as they also are granted permissions on the registry key DACL.
+... allowing `Authenticated Users` to read those exact key paths, provided they also have read permission on the key’s DACL.

109-109: Code‑format identifiers and group name.

-... add these specific paths to AllowedExactPaths. This grants Authenticated Users remote read access, ...
+... add these specific paths to `AllowedExactPaths`. This grants `Authenticated Users` remote read access, ...

docs/collect-data/permissions.mdx (4)

52-52: Avoid comma splice.

-... Enterprise, see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details. ...
+... Enterprise. See [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details. ...

67-67: Be precise about required permission.

Use the group name and scope instead of “Administrator access.”

-**Default Permissions:** By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 require Administrator access to perform Remote SAM operations.
+**Default Permissions:** By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 require membership in the local `Administrators` group to perform Remote SAM operations.

73-73: Code‑format group name; optional readability split.

-... assuming that membership in the Remote Desktop Users group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the Remote Desktop Users group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.
+... assuming that membership in the `Remote Desktop Users` group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the `Remote Desktop Users` group **and** the user rights assignment `SeRemoteInteractiveLogonRight`.

138-139: Small grammar tweak.

-    SharpHound checks if the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is present, required to calculate ADCS ESC6 edges.
+    SharpHound checks if the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is present, which is required to calculate ADCS ESC6 edges.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3319c8e and d55dd1f.

📒 Files selected for processing (3)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (3 hunks)
docs/collect-data/enterprise-collection/privileged-collection.mdx (2 hunks)
docs/collect-data/permissions.mdx (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/collect-data/enterprise-collection/least-privileged-collection.mdx
docs/collect-data/permissions.mdx

🪛 LanguageTool

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

[grammar] ~26-~26: There might be a mistake here.
Context: ...Deleted Objects container locations are: * Domain NC Deleted Objects DistinguishedN...

(QB_NEW_EN)

[grammar] ~27-~27: There might be a mistake here.
Context: ...Deleted Objects DistinguishedName (DN): CN=Deleted Objects,<Domain DN> * Configuration NC Deleted Objects Disting...

(QB_NEW_EN)

[grammar] ~109-~109: There might be a mistake here.
Context: ...llowing the same method described above.

(QB_NEW_EN)

docs/collect-data/permissions.mdx

[grammar] ~93-~93: There might be a mistake here.
Context: ...s function. Least-Privileged Options: * On Windows Server operating systems, mem...

(QB_NEW_EN)

[grammar] ~134-~134: There might be a mistake here.
Context: ... restrictions are configured by default. * Security Contains the security des...

(QB_NEW_EN)

🔇 Additional comments (1)

docs/collect-data/permissions.mdx (1)

26-30: LGTM on scope and guidance.

Clear rationale and correct cross‑references; the warning block reads well.

martinsohn · 2025-10-16T15:33:44Z

@jeff-matthews and @Scoubi I mashed your two recommendations together. I also added texts to nudge the user: 560a79d

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (1)

109-109: Add backticks around the security principal.

Elsewhere in the doc we format group names like Authenticated Users; please do the same here for consistency.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d55dd1f and 8a02ba6.

📒 Files selected for processing (1)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

🪛 LanguageTool

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

[grammar] ~26-~26: There might be a mistake here.
Context: ...Deleted Objects container locations are: * Domain NC Deleted Objects DistinguishedN...

(QB_NEW_EN)

[grammar] ~27-~27: There might be a mistake here.
Context: ...Deleted Objects DistinguishedName (DN): CN=Deleted Objects,<Domain DN> * Configuration NC Deleted Objects Disting...

(QB_NEW_EN)

[grammar] ~109-~109: There might be a mistake here.
Context: ...llowing the same method described above.

(QB_NEW_EN)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (12)

docs/collect-data/enterprise-collection/privileged-collection.mdx (2)

7-7: Tighten list phrasing and punctuation.

Use an em dash and remove the article before “local groups” for flow.

-Privileged collection allows BloodHound to analyze Attack Paths based on non-centralized configurations, the local groups, active sessions, registry, and user rights assignments configured on each domain-joined system in your environment.
+Privileged collection allows BloodHound to analyze Attack Paths based on non‑centralized configurations—the local groups, active sessions, registry, and user rights assignments configured on each domain‑joined system in your environment.

22-22: Fix subject/grammar and group name (“Administrators”).

Clarify the sentence and use the correct local group name.

-BloodHound Enterprise has identified that a computer at the bottom of the right Attack Path tree has `Authenticated Users` (all users and computers contained within the current domains, and all domains trusted by the current domain) added as a local `Administrator` to a system at the beginning of one Attack Path.
+BloodHound Enterprise has identified that a system at the beginning of the right‑hand Attack Path has `Authenticated Users` (all users and computers in the current domain and any trusted domains) added to the local `Administrators` group.

docs/collect-data/permissions.mdx (4)

26-27: Split the sentence; avoid comma splice.

Minor readability tweak.

-SpecterOps recommends collecting all data types because it provides maximum visibility into your environment. Local Group Memberships and Sessions are especially important, as they reveal Attack Paths to individual systems based on non-centralized configurations, see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).
+SpecterOps recommends collecting all data types because it provides maximum visibility into your environment. Local Group Memberships and Sessions are especially important, as they reveal Attack Paths to individual systems based on non‑centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).

73-73: Consider splitting the long sentence.

Improve readability by breaking after the first em dash.

-User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge. Before SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the `Remote Desktop Users` group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the `Remote Desktop Users` group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`.
+User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting URAs allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge. Before SharpHound Common v3, BloodHound assumed that membership in the `Remote Desktop Users` group alone grants RDP access. However, to use Remote Desktop, a user needs **both** membership in `Remote Desktop Users` **and** the `SeRemoteInteractiveLogonRight` URA.

93-96: Punctuate list items for consistency.

End bullets with periods.

-* On Windows Server operating systems, members of the local `Print Operators` group may also collect session data
-* Windows desktop operating systems do not have a local `Print Operators` group and require alternate approaches
+* On Windows Server operating systems, members of the local `Print Operators` group may also collect session data.
+* Windows desktop operating systems do not have a local `Print Operators` group and require alternate approaches.

131-139: Minor clarity and style improvements.

Split long sentences and use “vice versa” for precision.

-* **Security**
-    Contains the security descriptor for the enterprise CA i.e. the permissions for Enroll, ManageCA, and ManageCertificates edges against the enterprise CA. This security descriptor is also stored in the AD object of the enterprise CA. SharpHound collects both. The CA registry security descriptor holds the effective permissions. Changes in the CA registry security descriptor are replicated to the AD copy, however, not the other way. Therefore, collecting the CA registry security descriptor may reveal permissions of the enterprise CA that are not present if only collecting the AD object.
+* **Security**
+    Contains the security descriptor for the enterprise CA—i.e., the permissions for Enroll, ManageCA, and ManageCertificates edges against the enterprise CA. This security descriptor is also stored in the AD object of the enterprise CA. SharpHound collects both. The CA registry security descriptor holds the effective permissions. Changes in the CA registry security descriptor are replicated to the AD copy; the reverse is not true. Therefore, collecting the CA registry security descriptor may reveal permissions that are not visible when only collecting the AD object.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (6)

22-30: Minor punctuation/style.

Use a semicolon before the reference for smoother flow.

-SharpHound can read the content of the Deleted Objects container (also known as the AD Recycle Bin). Collecting deleted objects affects data retention behavior in BloodHound Enterprise, see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details on how this impacts retention periods.
+SharpHound can read the content of the Deleted Objects container (also known as the AD Recycle Bin). Collecting deleted objects affects data retention behavior in BloodHound Enterprise; see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details on how this impacts retention periods.

55-58: Tighten OS terminology.

Prefer “Windows client operating systems” to “Windows desktop operating systems.”

-Unfortunately, this option does not exist on Windows desktop operating systems.
+Unfortunately, this option does not exist on Windows client operating systems.

59-59: Fix “builtin” spelling.

Use “built‑in”.

-...the local builtin [Print Operators]...
+...the local built‑in [Print Operators]...

89-94: Good structure; small wording tweak.

Make sentence parallel and modernize phrasing.

-By default, only `Administrators` may read the registry remotely. There are two methods to delegate remote registry access for least-privileged collection:
+By default, only `Administrators` may read the registry remotely. There are two ways to delegate remote registry access for least‑privileged collection:

101-101: Smooth phrasing.

Tighten clause.

-...as long as they also are granted rights to read the key.
+...as long as they also have read permission on the key.

105-106: Clarify DACL phrasing.

Simplify the trailing clause.

-...allowing `Authenticated Users` to read those exact key paths, as long as they also are granted permissions on the registry key DACL.
+...allowing `Authenticated Users` to read those exact key paths, provided the registry key’s DACL grants read permission.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a02ba6 and 63f3c36.

📒 Files selected for processing (3)

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (2 hunks)
docs/collect-data/enterprise-collection/privileged-collection.mdx (2 hunks)
docs/collect-data/permissions.mdx (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T15:57:55.743Z

Learnt from: StephenHinck
PR: SpecterOps/bloodhound-docs#42
File: docs/install-data-collector/install-azurehound/system-requirements.mdx:70-73
Timestamp: 2025-08-08T15:57:55.743Z
Learning: For AzureHound docs (docs/install-data-collector/install-azurehound/system-requirements.mdx), prefer explicitly stating:
- Directory Reader must be permanently active (not PIM-eligible only).
- Microsoft Graph application permissions (Directory.Read.All, RoleManagement.Read.All) require admin consent.
- Azure Reader role phrasing: “on all Azure subscriptions, ideally assigned at the tenant root group (root management group) scope.”

Applied to files:

docs/collect-data/enterprise-collection/least-privileged-collection.mdx
docs/collect-data/permissions.mdx

🪛 LanguageTool

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

[grammar] ~26-~26: There might be a mistake here.
Context: ...Deleted Objects container locations are: * Domain NC Deleted Objects DistinguishedN...

(QB_NEW_EN)

[grammar] ~27-~27: There might be a mistake here.
Context: ...Deleted Objects DistinguishedName (DN): CN=Deleted Objects,<Domain DN> * Configuration NC Deleted Objects Disting...

(QB_NEW_EN)

[grammar] ~59-~59: Ensure spelling is correct
Context: ...rvice account can be added to the local builtin [Print Operators](https://learn.microso...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

[grammar] ~59-~59: Ensure spelling is correct
Context: ...ld not be used as print servers and the builtin Print Operators group for the domain sh...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

docs/collect-data/permissions.mdx

[grammar] ~93-~93: There might be a mistake here.
Context: ...s function. Least-Privileged Options: * On Windows Server operating systems, mem...

(QB_NEW_EN)

[grammar] ~134-~134: There might be a mistake here.
Context: ... restrictions are configured by default. * Security Contains the security des...

(QB_NEW_EN)

🔇 Additional comments (10)

docs/collect-data/enterprise-collection/privileged-collection.mdx (1)

30-30: Links and terminology look good.

Absolute paths and “Least‑Privileged” hyphenation are consistent.

docs/collect-data/permissions.mdx (5)

29-29: Good addition.

The hardening link and clarification about not requiring Domain Admin are helpful.

48-53: LGTM.

Accurate method, defaults, and Deleted Objects container guidance with cross‑refs.

65-69: LGTM.

Remote SAM method/defaults and least‑privileged GPO reference are correct.

119-127: LGTM.

DC registry paths and permissions look accurate; least‑privileged cross‑ref is clear.

146-146: LGTM.

Default access note and cross‑reference align with the least‑privileged explanation.

docs/collect-data/enterprise-collection/least-privileged-collection.mdx (4)

8-11: Clear intro and hardening note.

Good framing and link to hardening guidance.

73-73: LGTM.

Good guidance on Restricted Groups vs GPP.

75-76: LGTM.

Clear recommendation against using Domain Admins.

109-109: LGTM.

Clear guidance on enabling least‑privileged NTLM relay registry collection.

coderabbitai · 2025-10-16T16:04:03Z

docs/collect-data/enterprise-collection/least-privileged-collection.mdx

 SharpHound collects local group membership via [Remote SAM Enumeration](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).

-By default, on currently supported Windows operating systems, only Administrators on the device(s) being collected have this right on Windows clients and member servers.  For compatibility purposes, Everyone is granted this right on domain controllers by default.
+By default, on currently supported Windows operating systems, only `Administrators` on the device(s) being collected have this right on Windows clients and member servers.  For compatibility purposes, `Everyone` is granted this right on domain controllers by default.


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify SAMR default on domain controllers (“Everyone” vs “Authenticated Users”).

Claiming Everyone has this right on DCs may overstate access. Many sources indicate DCs allow Authenticated Users by default for SAMR, not Everyone.

🌐 Web query:

What is the default value/behavior of “Network access: Restrict clients allowed to make remote calls to SAM” on Windows domain controllers? Specifically, are “Everyone” or “Authenticated Users” allowed by default to perform remote SAMR enumeration on DCs?

💡 Result:

Short answer: That security option (Network access: Restrict clients allowed to make remote calls to SAM) does not apply to Domain Controllers by default. Domain controllers use the built‑in SAM/LSA ACLs and other DC‑specific groups (e.g. Pre‑Windows‑2000 Compatible Access) for SAMR access, so the Group Policy setting is effectively ignored on DCs. In practice anonymous/Everyone access is blocked by the anonymous‑enumeration restrictions and SAM access is limited to authenticated principals (not Everyone) unless an admin has explicitly weakened DC ACLs. (learn.microsoft.com)

Citations:

1: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions?utm_source=openai

Correct DC SAMR access description (“Everyone” → authenticated principals)
docs/collect-data/enterprise-collection/least-privileged-collection.mdx:37
Replace “For compatibility purposes, Everyone is granted this right on domain controllers by default.” with a note that DCs ignore the GPO setting and enforce SAMR via built-in SAM/LSA ACLs, limiting access to authenticated principals (e.g. Authenticated Users, Pre-Windows-2000 Compatible Access).

🤖 Prompt for AI Agents

In docs/collect-data/enterprise-collection/least-privileged-collection.mdx around line 37, replace the incorrect sentence that says "For compatibility purposes, `Everyone` is granted this right on domain controllers by default." with a brief note stating that domain controllers ignore the GPO setting and instead enforce SAMR access via built-in SAM/LSA ACLs that limit access to authenticated principals (for example "Authenticated Users" and "Pre-Windows-2000 Compatible Access"); ensure the wording is concise and factual and mention that DCs use these built-in ACLs rather than granting access to Everyone.

@JimSycurity is this coderabbit being wrong on your research?

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

I'm not sure there's anything wrong with what its saying. It's a nitpick comment being nitpicky. In trying to keep things brief I am referenced the Everyone special identity group, which includes Authenticated Users and Guests in current OSes. Not the collective "Everyone" as in "Anyone". Everyone only included Anonymous access in Server 2000.

DCs do ignore the GPO setting as it states. It's wording the same thing differently and with more words.

StephenHinck

Looks great - fixed a small CR nit for grammar and merging!

martinsohn added 3 commits October 15, 2025 12:28

Fix links that 404

88037fc

Fix link that 404

e19753f

mintlify bot deployed to staging - docs October 15, 2025 11:09 View deployment

coderabbitai bot reviewed Oct 15, 2025

View reviewed changes

docs/collect-data/enterprise-collection/privileged-collection.mdx Outdated Show resolved Hide resolved

docs/resources/edges/has-trust-keys.mdx Show resolved Hide resolved

coderabbit suggestions

dc34c7d

mintlify bot deployed to staging - docs October 15, 2025 12:20 View deployment

coderabbitai bot reviewed Oct 15, 2025

View reviewed changes

docs/opengraph/best-practices.mdx Outdated Show resolved Hide resolved

coderabbit suggestions pt2

0b2c217

mintlify bot deployed to staging - docs October 15, 2025 12:35 View deployment

coderabbitai bot reviewed Oct 15, 2025

View reviewed changes

docs/opengraph/best-practices.mdx Outdated Show resolved Hide resolved

jeff-matthews reviewed Oct 15, 2025

View reviewed changes

Scoubi reviewed Oct 15, 2025

View reviewed changes

martinsohn added 2 commits October 16, 2025 17:13

Fix style and typos

80c8729

Fix warnings and cross-references to nudge user into secure defaults

560a79d

mintlify bot deployed to staging - docs October 16, 2025 15:14 View deployment

Update docs/collect-data/enterprise-collection/least-privileged-colle…

8ece5ba

…ction.mdx Co-authored-by: Jeff Matthews <[email protected]>

mintlify bot deployed to staging - docs October 16, 2025 15:15 View deployment

Update docs/collect-data/enterprise-collection/least-privileged-colle…

6cd4ec3

…ction.mdx Co-authored-by: Jeff Matthews <[email protected]>

mintlify bot deployed to staging - docs October 16, 2025 15:16 View deployment

Update docs/collect-data/enterprise-collection/least-privileged-colle…

3319c8e

…ction.mdx Co-authored-by: Jeff Matthews <[email protected]>

mintlify bot deployed to staging - docs October 16, 2025 15:16 View deployment

coderabbitai bot reviewed Oct 16, 2025

View reviewed changes

docs/collect-data/enterprise-collection/least-privileged-collection.mdx Outdated Show resolved Hide resolved

Fixes from jeff-matthews

d55dd1f

mintlify bot deployed to staging - docs October 16, 2025 15:25 View deployment

coderabbitai bot reviewed Oct 16, 2025

View reviewed changes

coderabbit suggestions

8a02ba6

mintlify bot deployed to staging - docs October 16, 2025 15:32 View deployment

coderabbitai bot reviewed Oct 16, 2025

View reviewed changes

docs/collect-data/enterprise-collection/least-privileged-collection.mdx Outdated Show resolved Hide resolved

coderabbit minor issue, nitpicks, and backticks

63f3c36

mintlify bot deployed to staging - docs October 16, 2025 15:57 View deployment

coderabbitai bot reviewed Oct 16, 2025

View reviewed changes

cr nit

f426631

StephenHinck approved these changes Oct 16, 2025

View reviewed changes

mintlify bot deployed to staging - docs October 16, 2025 17:14 View deployment

StephenHinck merged commit e006bf0 into main Oct 16, 2025
2 of 3 checks passed

StephenHinck deleted the data-collection-permissions branch October 16, 2025 17:14

github-actions bot locked and limited conversation to collaborators Oct 16, 2025

	2. Modify Remote Registry named pipe security descriptor: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Effective access is still governed via permissions configured on individual registry keys.
	2. Modify Remote Registry named pipe security descriptor: Alternatively, modify the default security descriptor on the Remote Registry named pipe to grant explicit security principals read permissions to the entire registry. Permissions on individual registry keys still govern effective access.```


		### NTLM Relay Registry Paths

		The registry paths for NTLM relay edges are located on all Windows hosts and are only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths using the same method described above.

	The registry paths for NTLM relay edges are located on all Windows hosts and are only accessible remotely by Administrators by default. Group Policy can be utilized to create AllowedExactPaths exceptions for these specific paths using the same method described above.
	Registry paths for NTLM relay edges exist on all Windows hosts. By default, only Administrators can access these paths remotely. To enable least-privileged collection, use Group Policy to add these specific paths to AllowedExactPaths. This grants Authenticated Users remote read access, following the same method described above.

	For details on what data types can be collected see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.
	For details on what data types can be collected, see [SharpHound Data Collection and Permissions](/docs/collect-data/permissions) and [Least-Privileged Collection in SharpHound](/collect-data/enterprise-collection/least-privileged-collection) for information on collecting this data via least-privilege access.

	It is important to have as much visibility as possible, so collecting all data types is recommended. Local Group Memberships and Sessions are especially important as they enable understanding Attack Paths to individual systems based on non-centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).
	SpecterOps recommends collecting all data types because it provides maximum visibility into your environment. Local Group Memberships and Sessions are especially important, as they reveal Attack Paths to individual systems based on non-centralized configurations. See [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection).

Uh oh!

Improve SharpHound permissions documentation structure and cross-referencing #77

Improve SharpHound permissions documentation structure and cross-referencing #77

Uh oh!

Conversation

martinsohn commented Oct 15, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Suggested labels

Suggested reviewers

Poem

Pre-merge checks and finishing touches

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jeff-matthews left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Scoubi left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

martinsohn commented Oct 15, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Oct 15, 2025 •

edited

Loading

coderabbitai bot Oct 16, 2025 •

edited

Loading