Re: Administrators Group in Local Users and Groups

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Again, I will not explain how the escalations can occur. Anyone who gives non-domain admins the ability to log on interactively or modify system files/services on a DC is asking to be spanked at some point in the future. I call it security by wishful thinking. The fact that they haven't been compromised (though one would ask, do they even know if they have been?) is simply a matter of luck or no one caring enough to do it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Spin wrote:
I have verified that an Account Operator can indeed log into a DC. But, they cannot add themselves to the Domain Admins group. The button is grayed out. The button to change whether or not the DC is a GC is also grayed out. I imagine adding themselves to the domain admins group would require a trick similar to the NT4 days where you could make cmd.exe launch as the screensaver (which runs under the local system account), then within the newly opened CMD prompt window, add your self to the local administrators group using the net user command. There is a single local administrator account on every DC, that is the one the system reverts back to in case the machine is ever demoted back to a member server. That account is also a Domain Admin. Of course when the machine is a DC, the account is not really "local" anymore.

.

Quantcast