[BBLISA] Join AD without Domain Admin password

Edward Ned Harvey bblisa3 at nedharvey.com
Tue Oct 7 09:53:49 EDT 2008


A lot of people replied, thinking the same as me (that you can't join AD without domain admin privs, or having otherwise been granted privs explicitly) and offered advice on how to approach this situation under the assumption the user had (mis)used an admin account.

Two people, however (thank you Sean and Lord Sporkton) believed vaguely that a normal user could join a computer to AD.  And one person (thank you Dan) knew where to find documentation.
http://support.microsoft.com/kb/251335/en-us 
and
http://www.msresource.net/knowledge_base/articles/info:_how_does_ms-ds-machineaccountquota_work.html 

I don't know why I have been unable to reproduce the results with my own account - my account is in the same groups and created the same way, with no special privs granted to either myself or the user in question.

But I am satisfied that probably nothing nefarious took place, and I don't need to do anything about it.  




> -----Original Message-----
> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Edward Ned Harvey
> Sent: Monday, October 06, 2008 9:27 PM
> To: bblisa at bblisa.org
> Subject: [BBLISA] Join AD without Domain Admin password
> 
> Is there any way to join a Windows computer onto AD, without knowing
> the password of a Domain Administrator?
> 
> I ask because one of my users supposedly did it.  None of the admins
> helped to join a fresh-out-of-the-box machine onto the domain, and yet
> it's on the domain.  I asked the user about this, and the response was
> gruff and vague, "I'm smart... I didn't have any help... I only used my
> own password..."   and exit the room.
> 
> I double-checked, and the user is not part of the domain admins group.
> I also double-checked, and my own "normal user" account is not able to
> join a machine onto the domain.
> 
> The way I see it, there are only two possibilities - (a) somehow a
> normal user can join the domain without any admin help, or (b) somehow
> one of the domain admin accounts was compromised.
> 
> Do I ...
> (a)  Simply talk to the manager and request that the user be fired.
> (and do all the necessary password resets, etc)
> (b)  (With manager present)  Offer the user the opportunity to
> demonstrate this accomplishment without a domain admin pass, and then
> request for the user to be fired if it can't be repeated on another
> machine.
> (c)  (Without manager present)  Ask the user to show me something cool
> that I've never seen before, that I didn't think was possible.
> 
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa





More information about the bblisa mailing list