Re: computeraccount in admingroup?

I am not sure I understand your questions.

However... Computer accounts in AD are a type of user account. The computers authenticates to those accounts when the machines boot up and gets their kerberos tickets just like users do. They constantly renew those tickets just like a user who stays logged on. If that computer is added to a domain group, that group is in security token of the computer (and in the kerb creds).

Anything that that group has access to the computer itself will have access too (note that this doesn't mean users on the computer necessarily, only processes running the computer's context such as localsystem, localservice, and networkservice).

If you add the AD computer account (or any AD group) to another computer's admin group, it will work just like a user has been added to the admin group. An attempt from the computer (not users logged onto the computer) to connect to that other computer will result in getting kerb service ticket which will authenticate the computer on the other computer and it will add the administrators group SID to the local token so that the first computer has admin rights on the second computer.

Again, this is all just like normal users, you just have to be in the security context of the computer which is the contexts mentioned above. Getting there isn't tough if you have more than user rights to the specific computer. You just have to get the AT service or some other service to do what you want as localsystem or networkservice. Child's play actually.

  joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Paul Bergson wrote:
How when the remote machine has a secret password? Am I misunderstanding the scenario?

.

Loading