You made all domain users local admin? Or did you do some sort of RUNAS in the logon script?
>-----Original Message----- >From: David Gillett [mailto:[email protected]] >Sent: Monday, December 13, 2010 10:16 AM >To: Thor (Hammer of God); 'George Carlson'; [email protected]; >[email protected] >Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows >Local Workstation Admins to Temporarily Escalate Privileges andLogin as >Cached Domain Admin Accounts (2010-M$-002) > >> If I take the domain admin out of my local administrators, they can't >> do >anything. Done. > > Back when I did AD/domain support, all domain user accounts got a profile >that included a trivial script to re-add Domain Admins to the Local Admins >group. So this kind of local removal shenanigans lasted only until the user >next logged into the domain. > >David Gillett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
