If our users hadn't been local admins (not my choice), they would not have been able to eject Domain Admins from the Local Admins group in the first place....
David Gillett -----Original Message----- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Monday, December 13, 2010 10:49 To: David Gillett; 'George Carlson'; bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalate PrivilegesandLogin as Cached Domain Admin Accounts (2010-M$-002) You made all domain users local admin? Or did you do some sort of RUNAS in the logon script? >-----Original Message----- >From: David Gillett [mailto:gillettda...@fhda.edu] >Sent: Monday, December 13, 2010 10:16 AM >To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com; >full-disclosure@lists.grok.org.uk >Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account >CachingAllows Local Workstation Admins to Temporarily Escalate >Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002) > >> If I take the domain admin out of my local administrators, they can't >> do >anything. Done. > > Back when I did AD/domain support, all domain user accounts got a >profile that included a trivial script to re-add Domain Admins to the >Local Admins group. So this kind of local removal shenanigans lasted >only until the user next logged into the domain. > >David Gillett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
