Merge remote-tracking branch 'origin/2.X' into commonlib_v4

# Conflicts:
#	src/Runtime/ObjectProcessors.cs

README.md

@@ -4,7 +4,9 @@
 
 ## Get SharpHound
 
-The latest build of SharpHound will always be in the BloodHound repository [here](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors)
+The latest build of SharpHound will always be found [here](https://github.com/BloodHoundAD/SharpHound/releases).
+
+To determine the SharpHound version compatible with a deployed BloodHound CE instance, login to BloodHound CE's web UI and click on ⚙️ (Settings) → Download Collectors. Then, click either the "Download SharpHound" button in the user interface or use the displayed SharpHound version to download the appropriate [release binary](https://github.com/BloodHoundAD/SharpHound/releases). Alternatively, compile a SharpHound binary from the corresponding release commit.
 
 ## Compile Instructions
 
@@ -26,8 +28,8 @@ dotnet restore .
 dotnet build
 ```
 
-# CLI
-
+# CLI Arguments
+The listing below details the CLI arguments SharpHound supports. Additional details about these options can be found in the [BloodHound CE Collection documentation](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481375424795-All-SharpHound-Community-Edition-Flags-Explained).
 ```
   -c, --collectionmethods    (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup,
                              Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly, UserRights, CARegistry, DCRegistry, CertServices

src/Runtime/ObjectProcessors.cs

@@ -576,6 +576,7 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(IDirectoryObject entry,
                 var cASecurityCollected = false;
                 var enrollmentAgentRestrictionsCollected = false;
                 var isUserSpecifiesSanEnabledCollected = false;
+                var roleSeparationEnabledCollected = false;
                 var caName = entry.GetProperty(LDAPProperties.Name);
                 var dnsHostName = entry.GetProperty(LDAPProperties.DNSHostName);
                 if (caName != null && dnsHostName != null) {
@@ -594,6 +595,7 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(IDirectoryObject entry,
                         IsUserSpecifiesSanEnabled = _certAbuseProcessor.IsUserSpecifiesSanEnabled(dnsHostName, caName),
                         EnrollmentAgentRestrictions = await _certAbuseProcessor.ProcessEAPermissions(caName,
                             resolvedSearchResult.Domain, dnsHostName, ret.HostingComputer),
+                        RoleSeparationEnabled = _certAbuseProcessor.RoleSeparationEnabled(dnsHostName, caName),
 
                         // The CASecurity exist in the AD object DACL and in registry of the CA server. We prefer to use the values from registry as they are the ground truth.
                         // If changes are made on the CA server, registry and the AD object is updated. If changes are made directly on the AD object, the CA server registry is not updated.
@@ -604,12 +606,14 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(IDirectoryObject entry,
                     cASecurityCollected = cARegistryData.CASecurity.Collected;
                     enrollmentAgentRestrictionsCollected = cARegistryData.EnrollmentAgentRestrictions.Collected;
                     isUserSpecifiesSanEnabledCollected = cARegistryData.IsUserSpecifiesSanEnabled.Collected;
+                    roleSeparationEnabledCollected = cARegistryData.RoleSeparationEnabled.Collected;
                     ret.CARegistryData = cARegistryData;
                 }
 
                 ret.Properties.Add("casecuritycollected", cASecurityCollected);
                 ret.Properties.Add("enrollmentagentrestrictionscollected", enrollmentAgentRestrictionsCollected);
                 ret.Properties.Add("isuserspecifiessanenabledcollected", isUserSpecifiesSanEnabledCollected);
+                ret.Properties.Add("roleseparationenabledcollected", roleSeparationEnabledCollected);
             }
 
             return ret;