An administrator is very different there are many levels of administrative control in windows to say an admin is an admin is absurd. There is a big difference between a local admin and a domain admin. There are many types of admin in windows and all of them have different levels of permission. I would be very scared to have anyone taking care of any of my systems windows or NIX who thought an admin was an admin and root is root. Here is a reference showing the different SIDs for some common windows accounts. Http://support.microsoft.com/kb/24333
If you take time to read it you will see there are numerous types of windows administrator all with different permissions. Sent from my iPhone On Dec 10, 2010, at 5:11 PM, "Stefan Kanthak" <stefan.kant...@nexgo.de> wrote: > "George Carlson" <gcarl...@vccs.edu> wrote: > >> Your objections are mostly true in a normal sense. > > And in abnormal sense? > >> However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > >> Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they authenticate > against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. > >> and so this >> vulnerability is problematic for shops that differentiate between >> desktop support and AD support. > > Again: this is NO VULNERABILITY. > An administrator is an administrator is an administrator. > > [braindead fullquote removed ] > > Stefan > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
