Elevating local or domain Admin privledge to access networked computers

[tankman1989]

I'm a little foggy about how to pose my question as some time has gone by since this issue. The OS was XP pro and we were running Server 2008 with AD. There was a piece of software one user said was required but this software needed admin rights to run. IIRC I tried to make the user a local admin but since logging onto the machine required logging into AD I think there was some issue with the software not working because the user wasn't an admin on the domain. Does this sound like it is probable?


The reason I'm asking is because there was issue with another machine on the network having it's password changed and then accessed after password change. Now I don't remember whether the accessed machine only had it's local password changed or if it was the domain password. It was very confusing at the time because at times the user wouldn't have network access so they logged in locally.

The point is, I'm trying to figure out if this security issue was related to the admin rights on the user with the "special" software.

At the time I knew whatever was happening was possible due to the admin rights issue but have forgotten exactly what was going on.


-If a user has local admin rights and general user domain account, is it possible to gain admin rights on a network PC either remotely or in person?

-If user has domain admin rights, could they remotely log into network PC and change local user password on the network PC?

 

[B00nie]

Instead of sticking to the past, embrace the present.

 

[Snufykat]

Does this sound like it is probable?

-If a user has local admin rights and general user domain account, is it possible to gain admin rights on a network PC either remotely or in person?

-If user has domain admin rights, could they remotely log into network PC and change local user password on the network PC?

No.
Yes by your definition the user is logged into a networked pc as a local admin.
yes, through user accounts area. Maybe a windows 7 thing, not sure about winxp.

 

[Demon10000]

I tried to make the user a local admin but since logging onto the machine required logging into AD I think there was some issue with the software not working because the user wasn't an admin on the domain. Does this sound like it is probable?

No, no no no no no no. No application that a user would need to use would *EVER* need Domain Admin rights. And you should never, ever, ever ,ever even consider thinking about granting a user Domain Admins.

In fact, there are very few applications that actually need admin rights. Most apps say they need this because the developers don't know what permissions it actually needs. Instead of making someone an administrator, run procmon with an access denied filter and start the program. When it hits an access denied, start granting the user rights to what it needs.

If an application checks the local admin group to see if the user is a member of it, then you should use the Microsoft Application Compatibility Toolkit to create a shim for this application. It will fool the app into thinking the user is an admin, then you can continue to grant permissions to the application.

Never, ever, ever, ever, ever grant a user Domain Admin. You're just asking for some really major problems that will someday happen, and you will have no idea how they happened.

It was very confusing at the time because at times the user wouldn't have network access so they logged in locally.

A user authenticating against a local machine, and not a domain, would not have any rights to change passwords in a domian. *IF* they did, then this is a HUGE security hole in your delegation of AD permissions and someone needs to be fired for granting everyone rights to administer AD objects.

-If a user has local admin rights and general user domain account, is it possible to gain admin rights on a network PC either remotely or in person?

The user security principal is the domain user account. This principal is added to the local computer, granting the domain account rights to be an administrator. It will become an admin of this machine, and this machine only. The user will only be an admin on machines where their domain account, either explicitly or by a member of a group, has been grant admin access.

In an XP world.. sloppy imaging of machines could cause anomalies. If you built a machine, joined it to the domain, granted the user access, and then imaged that machine as a base for all of your other machines, then you could be seeing exceptions. This type of deployment ISN'T supposed to happen, but it did.

-If user has domain admin rights, could they remotely log into network PC and change local user password on the network PC?

A Domain Administrator can, by default, access and administer every workstation on the domain. So yes, they could remotely connect to a machine and change a local user password. They could also log directly into the machine and change it. And they could also change any AD User Password as well (by default).

If you take anything away from this thread....Domain Admin accounts or for Administration of Domain Resources. If you are a domain admin, you shouldn't even be a member of Domain Admins. You should have a second account that is only used for Administration purposes that you must manually log in as to do Administration tasks.

 

[bigdogchris]

Many older applications that require admin rights are caused by the application attempting to read/write data to a directory the standard user cannot access which is usually program files.

You can give the Builtin\Users group Modify rights to the application installation directory to see if that takes care of it. You can also try using secpol.msc -> Software Restriction Policies -> Additional Rules -> New Path Rule -> (point to install directory) and choose Allow

If you must give the user admin rights the best way is to just go into lusrmgr.msc and open groups, open administrators, then browse the domain and add the user. When they log into the PC with their domain account they will have local PC admin rights.

 

[ManofGod]

You never need domain admin rights to run a piece of software on a local machine. However, you will have to add the domain user account to the administrators group on the local computer that the software is running off of. Also, of the bottom 2 questions, the first one does not make sense to me but the second one is: Yes, because the user is a domain administrator.

 

[Tawnos]

Domain Admin = god of the network. So no, local software wouldn't need that. At most, it would need admin = god of the machine.

 

[Jaymzkerten]

You never need domain admin rights to run a piece of software on a local machine. However, you will have to add the domain user account to the administrators group on the local computer that the software is running off of. Also, of the bottom 2 questions, the first one does not make sense to me but the second one is: Yes, because the user is a domain administrator.

The second one would be a definite no. Assuming the account is a domain user account, and added locally to the specific workstation's administrators group, they would only have admin access over that box, and any attempts to connect to a different machine would have that machine checking domain privileges and privileges local to itself.

In a scenario where you have 2 workstations, workstation A has a domain user added to local administrators, workstation B has the default permission set. Said user logs into workstation A and gets granted admin, then attempts to connect to workstation B across the network. Workstation B checks the user against the domain and against itself and only sees user privileges, it does not know of nor care about the admin privileges on workstation A, and grants/denies access accordingly.