Windows Server TechCenter >
Windows Server Forums
>
Directory Services
>
Is there a possibility to elevate enterprise admin rights from child domain admin account, how?
Is there a possibility to elevate enterprise admin rights from child domain admin account, how?
- Hi,
I am planning an organization's AD architecture and just wondering if there is any possibility to elevate enterprise admin rights from child domain admin account. For ex. you have forest with root domain and child domain and the bad guys have physical access to child DC and child domain admin account.
Please do not tell me about physical server security, bit locker and other stuff, just imagine the mentioned situation.
Thanks,
Den
Answers
This would certainly qualify as one of the reasons...
If you are looking for an advice on how to hack an AD forest, then this is not the right forum...
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 2:39 AM
- Hello,
it is possible, as Marcin mentioned and i have seen an attempt where it works some years ago. But as already said, the way how it was done is nothing for the forum.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 2:39 AM
All Replies
- Den,
yes - there is. This is one of the reasons why a domain is not considered a security boundary...
hth
Marcin Den,
yes - there is. This is one of the reasons why a domain is not considered a security boundary...
hth
Marcin
Yes I read it in many MS documents, regarding the security boundary, but I need to know why. Also I need to know in what way could such privileges be elevated.This would certainly qualify as one of the reasons...
If you are looking for an advice on how to hack an AD forest, then this is not the right forum...
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 2:39 AM
This would certainly qualify as one of the reasons...
If you are looking for an advice on how to hack an AD forest, then this is not the right forum...
hth
Marcin
I do not seeking for a ready made exploit, I just want to know if there were such successful attempts in the real world For example I know that it is possible to gain domain admin rights if you have physical access to DC, I know how to do this and how such elevation is working. I just want to have a reasoned answer. I need this in order to mitigate all security risks, to know the weak places of my infrastructure and the most important: What is the chance of of this possibility?
"This would certainly qualify as one of the reasons." - is not an argument for me.
- Hello,
it is possible, as Marcin mentioned and i have seen an attempt where it works some years ago. But as already said, the way how it was done is nothing for the forum.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 11, 2009 2:39 AM
