Is it possible to gain administrative rights under a domain in W10 while having local admin privilages?
I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.
From my experience it seems that in a machine local users and domain users are completely separated.
For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?
Kind regards
edit: Running this command seems to do it but why?
net localgroup Administrators /add DOMAINUSER
windows domain password-recovery privileges administration
asked Dec 7 at 8:33
TnF
2315
add a comment |
I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.
From my experience it seems that in a machine local users and domain users are completely separated.
For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?
Kind regards
edit: Running this command seems to do it but why?
net localgroup Administrators /add DOMAINUSER
windows domain password-recovery privileges administration
asked Dec 7 at 8:33
TnF
2315
add a comment |
I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.
From my experience it seems that in a machine local users and domain users are completely separated.
For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?
Kind regards
edit: Running this command seems to do it but why?
net localgroup Administrators /add DOMAINUSER
windows domain password-recovery privileges administration
asked Dec 7 at 8:33
TnF
2315
I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.
From my experience it seems that in a machine local users and domain users are completely separated.
For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?
Kind regards
edit: Running this command seems to do it but why?
net localgroup Administrators /add DOMAINUSER
windows domain password-recovery privileges administration
windows domain password-recovery privileges administration
asked Dec 7 at 8:33
TnF
2315
asked Dec 7 at 8:33
TnF
2315
edited Dec 7 at 10:09
asked Dec 7 at 8:33
TnF
2315
asked Dec 7 at 8:33
TnF
2315
asked Dec 7 at 8:33
TnF
2315
2315
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.
Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password
It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.
If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.
answered Dec 7 at 9:16
grawity
231k35487544
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
add a comment |
can someone recover the DOMAIN admin password?
Answer : No, unless you use illegal hacking methods.
The password is not kept on the local computer as plain-text but as a hash,
so you will need to enter a string that has exactly the same hash value.
The hash-function used is aimed at minimizing such possible collisions,
so don't even try.
The password is tested on the server, not locally, so you cannot run
locally a product to brute-force the password, unless you pass through
the domain server.
allow a local admin to make changes to a DOMAIN user
If you know the domain-user password,
you can use the
runas command
for running a program under the domain user's credentials.
You can then use the syntax of:
runas /netonly /user:domainusername command
The net localgroup administrators command will work to add the domain
user to the local Administrators group, although you will still need
the password to login.
This command should only be run when the computer is connected to the network.
Note that you may do the same using Computer Management: Click Groups,
right-click Administrators, click Add to Group, click Add,
and in the Select Users dialog box, enter DomainUser.
answered Dec 7 at 10:07
harrymc
252k12259560
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381568%2fis-it-possible-to-gain-administrative-rights-under-a-domain-in-w10-while-having%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.
Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password
It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.
If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.
answered Dec 7 at 9:16
grawity
231k35487544
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
add a comment |
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.
Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password
It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.
If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.
answered Dec 7 at 9:16
grawity
231k35487544
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
add a comment |
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.
Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password
It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.
If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.
answered Dec 7 at 9:16
grawity
231k35487544
Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.
No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.
Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.
Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password
It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.
If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.
answered Dec 7 at 9:16
grawity
231k35487544
answered Dec 7 at 9:16
grawity
231k35487544
answered Dec 7 at 9:16
grawity
231k35487544
answered Dec 7 at 9:16
grawity
231k35487544
231k35487544
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
add a comment |
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
– TnF
Dec 7 at 10:13
add a comment |
can someone recover the DOMAIN admin password?
Answer : No, unless you use illegal hacking methods.
The password is not kept on the local computer as plain-text but as a hash,
so you will need to enter a string that has exactly the same hash value.
The hash-function used is aimed at minimizing such possible collisions,
so don't even try.
The password is tested on the server, not locally, so you cannot run
locally a product to brute-force the password, unless you pass through
the domain server.
allow a local admin to make changes to a DOMAIN user
If you know the domain-user password,
you can use the
runas command
for running a program under the domain user's credentials.
You can then use the syntax of:
runas /netonly /user:domainusername command
The net localgroup administrators command will work to add the domain
user to the local Administrators group, although you will still need
the password to login.
This command should only be run when the computer is connected to the network.
Note that you may do the same using Computer Management: Click Groups,
right-click Administrators, click Add to Group, click Add,
and in the Select Users dialog box, enter DomainUser.
answered Dec 7 at 10:07
harrymc
252k12259560
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
add a comment |
can someone recover the DOMAIN admin password?
Answer : No, unless you use illegal hacking methods.
The password is not kept on the local computer as plain-text but as a hash,
so you will need to enter a string that has exactly the same hash value.
The hash-function used is aimed at minimizing such possible collisions,
so don't even try.
The password is tested on the server, not locally, so you cannot run
locally a product to brute-force the password, unless you pass through
the domain server.
allow a local admin to make changes to a DOMAIN user
If you know the domain-user password,
you can use the
runas command
for running a program under the domain user's credentials.
You can then use the syntax of:
runas /netonly /user:domainusername command
The net localgroup administrators command will work to add the domain
user to the local Administrators group, although you will still need
the password to login.
This command should only be run when the computer is connected to the network.
Note that you may do the same using Computer Management: Click Groups,
right-click Administrators, click Add to Group, click Add,
and in the Select Users dialog box, enter DomainUser.
answered Dec 7 at 10:07
harrymc
252k12259560
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
add a comment |
can someone recover the DOMAIN admin password?
Answer : No, unless you use illegal hacking methods.
The password is not kept on the local computer as plain-text but as a hash,
so you will need to enter a string that has exactly the same hash value.
The hash-function used is aimed at minimizing such possible collisions,
so don't even try.
The password is tested on the server, not locally, so you cannot run
locally a product to brute-force the password, unless you pass through
the domain server.
allow a local admin to make changes to a DOMAIN user
If you know the domain-user password,
you can use the
runas command
for running a program under the domain user's credentials.
You can then use the syntax of:
runas /netonly /user:domainusername command
The net localgroup administrators command will work to add the domain
user to the local Administrators group, although you will still need
the password to login.
This command should only be run when the computer is connected to the network.
Note that you may do the same using Computer Management: Click Groups,
right-click Administrators, click Add to Group, click Add,
and in the Select Users dialog box, enter DomainUser.
answered Dec 7 at 10:07
harrymc
252k12259560
can someone recover the DOMAIN admin password?
Answer : No, unless you use illegal hacking methods.
The password is not kept on the local computer as plain-text but as a hash,
so you will need to enter a string that has exactly the same hash value.
The hash-function used is aimed at minimizing such possible collisions,
so don't even try.
The password is tested on the server, not locally, so you cannot run
locally a product to brute-force the password, unless you pass through
the domain server.
allow a local admin to make changes to a DOMAIN user
If you know the domain-user password,
you can use the
runas command
for running a program under the domain user's credentials.
You can then use the syntax of:
runas /netonly /user:domainusername command
The net localgroup administrators command will work to add the domain
user to the local Administrators group, although you will still need
the password to login.
This command should only be run when the computer is connected to the network.
Note that you may do the same using Computer Management: Click Groups,
right-click Administrators, click Add to Group, click Add,
and in the Select Users dialog box, enter DomainUser.
answered Dec 7 at 10:07
harrymc
252k12259560
edited Dec 7 at 10:46
answered Dec 7 at 10:07
harrymc
252k12259560
answered Dec 7 at 10:07
harrymc
252k12259560
answered Dec 7 at 10:07
harrymc
252k12259560
252k12259560
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
add a comment |
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
– TnF
Dec 7 at 10:16
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381568%2fis-it-possible-to-gain-administrative-rights-under-a-domain-in-w10-while-having%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
