Is it possible to gain administrative rights under a domain in W10 while having local admin privilages?












1














I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.



From my experience it seems that in a machine local users and domain users are completely separated.



For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.



Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.



Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?



Kind regards



edit: Running this command seems to do it but why?




net localgroup Administrators /add DOMAINUSER











share|improve this question





























    1














    I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.



    From my experience it seems that in a machine local users and domain users are completely separated.



    For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.



    Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.



    Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?



    Kind regards



    edit: Running this command seems to do it but why?




    net localgroup Administrators /add DOMAINUSER











    share|improve this question



























      1












      1








      1


      1





      I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.



      From my experience it seems that in a machine local users and domain users are completely separated.



      For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.



      Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.



      Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?



      Kind regards



      edit: Running this command seems to do it but why?




      net localgroup Administrators /add DOMAINUSER











      share|improve this question















      I'm still trying to get the hang of Windows accounts under a DOMAIN but i have some security questions.



      From my experience it seems that in a machine local users and domain users are completely separated.



      For example a local Admin cannot make account changes to a Domain user; you need Domain admin privileges for that.



      Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.



      Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password or allow a local admin to make changes to a DOMAIN user?



      Kind regards



      edit: Running this command seems to do it but why?




      net localgroup Administrators /add DOMAINUSER








      windows domain password-recovery privileges administration






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 7 '18 at 10:09

























      asked Dec 7 '18 at 8:33









      TnF

      23115




      23115






















          2 Answers
          2






          active

          oldest

          votes


















          1















          Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.




          No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.



          Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.




          Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password




          It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.



          If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.






          share|improve this answer





















          • yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
            – TnF
            Dec 7 '18 at 10:13



















          1















          can someone recover the DOMAIN admin password?




          Answer : No, unless you use illegal hacking methods.



          The password is not kept on the local computer as plain-text but as a hash,
          so you will need to enter a string that has exactly the same hash value.
          The hash-function used is aimed at minimizing such possible collisions,
          so don't even try.



          The password is tested on the server, not locally, so you cannot run
          locally a product to brute-force the password, unless you pass through
          the domain server.




          allow a local admin to make changes to a DOMAIN user




          If you know the domain-user password,
          you can use the
          runas command
          for running a program under the domain user's credentials.
          You can then use the syntax of:



          runas /netonly /user:domainusername command


          The net localgroup administrators command will work to add the domain
          user to the local Administrators group, although you will still need
          the password to login.
          This command should only be run when the computer is connected to the network.



          Note that you may do the same using Computer Management: Click Groups,
          right-click Administrators, click Add to Group, click Add,
          and in the Select Users dialog box, enter DomainUser.






          share|improve this answer























          • Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
            – TnF
            Dec 7 '18 at 10:16













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381568%2fis-it-possible-to-gain-administrative-rights-under-a-domain-in-w10-while-having%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1















          Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.




          No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.



          Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.




          Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password




          It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.



          If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.






          share|improve this answer





















          • yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
            – TnF
            Dec 7 '18 at 10:13
















          1















          Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.




          No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.



          Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.




          Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password




          It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.



          If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.






          share|improve this answer





















          • yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
            – TnF
            Dec 7 '18 at 10:13














          1












          1








          1







          Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.




          No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.



          Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.




          Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password




          It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.



          If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.






          share|improve this answer













          Considering everything is stored as data in the machine locally this seems to be like a Windows restriction.




          No, the domain account information is merely cached on the machine. Even if you find a way to make any changes to the cache, they will not propagate from your machine to the rest of the domain – and definitely not to the domain controllers themselves. So all you get is local admin access, nothing more.



          Note that merely being logged in to a user account locally is not enough to be recognized as that user by other domain servers/machines. The account's credentials (password) also have to match those known by the domain controller.




          Is there is a way to bypass this? Since both hardware and local admin access there is to the machine, how can someone recover the DOMAIN admin password




          It's possible to abuse the "offline login" (cached domain credentials) feature. When domain users log in, their password hash is cached along with the usual information, so that the same user will still be able to log in even if network access is unavailable. IIRC, the offline hashes are stored for two weeks, and can be extracted and cracked.



          If you really need to log in locally to a domain account, the hashes can be temporarily replaced with something known. See this thread: https://security.stackexchange.com/questions/182986/replacing-cached-domain-credentials-in-security-hive. However, as already mentioned – after doing so, you will still be limited to local machine access.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 7 '18 at 9:16









          grawity

          232k35491546




          232k35491546












          • yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
            – TnF
            Dec 7 '18 at 10:13


















          • yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
            – TnF
            Dec 7 '18 at 10:13
















          yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
          – TnF
          Dec 7 '18 at 10:13




          yes, thanks for the information. I am not trying to hack the domain in the network. I was thinking about the restrictions placed locally on a single machine. Please see my edit to my question above, can you explain this?
          – TnF
          Dec 7 '18 at 10:13













          1















          can someone recover the DOMAIN admin password?




          Answer : No, unless you use illegal hacking methods.



          The password is not kept on the local computer as plain-text but as a hash,
          so you will need to enter a string that has exactly the same hash value.
          The hash-function used is aimed at minimizing such possible collisions,
          so don't even try.



          The password is tested on the server, not locally, so you cannot run
          locally a product to brute-force the password, unless you pass through
          the domain server.




          allow a local admin to make changes to a DOMAIN user




          If you know the domain-user password,
          you can use the
          runas command
          for running a program under the domain user's credentials.
          You can then use the syntax of:



          runas /netonly /user:domainusername command


          The net localgroup administrators command will work to add the domain
          user to the local Administrators group, although you will still need
          the password to login.
          This command should only be run when the computer is connected to the network.



          Note that you may do the same using Computer Management: Click Groups,
          right-click Administrators, click Add to Group, click Add,
          and in the Select Users dialog box, enter DomainUser.






          share|improve this answer























          • Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
            – TnF
            Dec 7 '18 at 10:16


















          1















          can someone recover the DOMAIN admin password?




          Answer : No, unless you use illegal hacking methods.



          The password is not kept on the local computer as plain-text but as a hash,
          so you will need to enter a string that has exactly the same hash value.
          The hash-function used is aimed at minimizing such possible collisions,
          so don't even try.



          The password is tested on the server, not locally, so you cannot run
          locally a product to brute-force the password, unless you pass through
          the domain server.




          allow a local admin to make changes to a DOMAIN user




          If you know the domain-user password,
          you can use the
          runas command
          for running a program under the domain user's credentials.
          You can then use the syntax of:



          runas /netonly /user:domainusername command


          The net localgroup administrators command will work to add the domain
          user to the local Administrators group, although you will still need
          the password to login.
          This command should only be run when the computer is connected to the network.



          Note that you may do the same using Computer Management: Click Groups,
          right-click Administrators, click Add to Group, click Add,
          and in the Select Users dialog box, enter DomainUser.






          share|improve this answer























          • Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
            – TnF
            Dec 7 '18 at 10:16
















          1












          1








          1







          can someone recover the DOMAIN admin password?




          Answer : No, unless you use illegal hacking methods.



          The password is not kept on the local computer as plain-text but as a hash,
          so you will need to enter a string that has exactly the same hash value.
          The hash-function used is aimed at minimizing such possible collisions,
          so don't even try.



          The password is tested on the server, not locally, so you cannot run
          locally a product to brute-force the password, unless you pass through
          the domain server.




          allow a local admin to make changes to a DOMAIN user




          If you know the domain-user password,
          you can use the
          runas command
          for running a program under the domain user's credentials.
          You can then use the syntax of:



          runas /netonly /user:domainusername command


          The net localgroup administrators command will work to add the domain
          user to the local Administrators group, although you will still need
          the password to login.
          This command should only be run when the computer is connected to the network.



          Note that you may do the same using Computer Management: Click Groups,
          right-click Administrators, click Add to Group, click Add,
          and in the Select Users dialog box, enter DomainUser.






          share|improve this answer















          can someone recover the DOMAIN admin password?




          Answer : No, unless you use illegal hacking methods.



          The password is not kept on the local computer as plain-text but as a hash,
          so you will need to enter a string that has exactly the same hash value.
          The hash-function used is aimed at minimizing such possible collisions,
          so don't even try.



          The password is tested on the server, not locally, so you cannot run
          locally a product to brute-force the password, unless you pass through
          the domain server.




          allow a local admin to make changes to a DOMAIN user




          If you know the domain-user password,
          you can use the
          runas command
          for running a program under the domain user's credentials.
          You can then use the syntax of:



          runas /netonly /user:domainusername command


          The net localgroup administrators command will work to add the domain
          user to the local Administrators group, although you will still need
          the password to login.
          This command should only be run when the computer is connected to the network.



          Note that you may do the same using Computer Management: Click Groups,
          right-click Administrators, click Add to Group, click Add,
          and in the Select Users dialog box, enter DomainUser.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 7 '18 at 10:46

























          answered Dec 7 '18 at 10:07









          harrymc

          253k12262564




          253k12262564












          • Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
            – TnF
            Dec 7 '18 at 10:16




















          • Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
            – TnF
            Dec 7 '18 at 10:16


















          Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
          – TnF
          Dec 7 '18 at 10:16






          Thanks for the reply. It's not illegal if it is your own machine lol. But still hacking since we are assuming we don't know the login details to the Domain. How about bruteforcing the password? Let's say we have the info on how many characters are used. Isn't there a tool that can read the HIVE and try to crack it outside this machine so that there is no bruteforce protection? As for the second part of your answer please read the edit to my question above and explain it.
          – TnF
          Dec 7 '18 at 10:16




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381568%2fis-it-possible-to-gain-administrative-rights-under-a-domain-in-w10-while-having%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар