Hi all, Recently I have been playing around with an idea of how do you deal with a situation when you must have a Domain Admin access to AD but do not have Domain Admin password (this can happen in small outsourced companies or when the only Domain Admin is suddenly unavailable).
In W2K this was easy. You use one of those tools that reset the Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe over logon.scr, reboot, wait and get a shell running in Local System context. As this is a DC and LSA has enough privileges to reset Domain Admin password, you are all set. In W2K3 this behavior has been changed. The screensaver runs in Local Service account context and has no access to AD. This sounds nice and dandy, BUT if I boot into DS Restore Mode, install a service (using resource kit utilities) that will spawn a shell, which will run a script, which will reset Domain Admin password, I still get access to the AD (tested successfully at home). The problem I see here is the fact that in DS Restore Mode (actually it does not really matter in which mode), when you install a new service, it will run by default in LSA context. I know that you will all say: "physical access = Domain Admin" and will be right, but what bothers me more is the fact that local account has a way to escalate it's rights by taking advantage of the fact that new services default to run under Local System account. Your thoughts ? Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
