[BBLISA] Join AD without Domain Admin password
Sean OMeara
someara at gmail.com
Mon Oct 6 22:24:30 EDT 2008
I'm pretty sure that, by default, any normal user can join a computer
to a domain up to three times withing DA privs.
-s
On Mon, Oct 6, 2008 at 9:27 PM, Edward Ned Harvey <bblisa3 at nedharvey.com> wrote:
> Is there any way to join a Windows computer onto AD, without knowing the password of a Domain Administrator?
>
> I ask because one of my users supposedly did it. None of the admins helped to join a fresh-out-of-the-box machine onto the domain, and yet it's on the domain. I asked the user about this, and the response was gruff and vague, "I'm smart... I didn't have any help... I only used my own password..." and exit the room.
>
> I double-checked, and the user is not part of the domain admins group. I also double-checked, and my own "normal user" account is not able to join a machine onto the domain.
>
> The way I see it, there are only two possibilities - (a) somehow a normal user can join the domain without any admin help, or (b) somehow one of the domain admin accounts was compromised.
>
> Do I ...
> (a) Simply talk to the manager and request that the user be fired. (and do all the necessary password resets, etc)
> (b) (With manager present) Offer the user the opportunity to demonstrate this accomplishment without a domain admin pass, and then request for the user to be fired if it can't be repeated on another machine.
> (c) (Without manager present) Ask the user to show me something cool that I've never seen before, that I didn't think was possible.
>
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>
More information about the bblisa
mailing list