List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] lock out of the AD

Prev Next

You are not authorized to post a reply.

Page 3 of 3

Author

Messages

kurtbuff

Posts:211

01/09/2009 2:28 PM
I'm working through this exercise right now... We're in the process of decommissioning an NT4 domain in a foreign office - we've installed an Win2k3 DC for the corporate domain there, and an E2k3 box, but the part time IT guy (software developer is his main duty) is fighting us at every turn, in very passive-aggressive ways. I've taken away DA from him in the corporate domain, and will be taking away his firewall rights, etc., though I have delegated an OU to him for user/computer creation. He's also not going to be managing the AntiVirus, beyond the initial package install, nor the workstation patching. He'll be an admin on the file server, so he can manage backups and file permissions, but even for that there's going to be a lot of upset, because I'm going to re-order all of the permissions - he's still managing file/directory permissions as if he were still using NT4, and inheritance didn't exist. He likes deny ACLs. _shudder_ Resentment, disgust and barely disguised fury is the order of the day, topped with a helping of sneer. Thing is, I like the guy anyway - he's really intelligent and good at what he does, but refuses to give up some attitudes and ways of doing things that either make things harder to manage than they should be, or put our security at risk, and does not take direction at all well. Kurt On Fri, Jan 9, 2009 at 10:35 AM, Laura E. Hunter <laurahcomputing@gmail.com> wrote: > Especially when you're dealing with upgrades/migrations/consolidations > rather than green-field deployments, this is often more of a Layer8/9/10 > problem than anything else. I mean, you're going to a bunch of Alpha Geeks > (or at least people who think they're Alpha Geeks) and you're taking their > toys away. Even worse is that, regardless of how well you spin, you're > almost inevitable creating the perception of a "rice bowl problem" > (especially in this economy), where it's seen as "Corporate IT /The > Consultants/whoever is taking away my job and my ability to -feed my > family-." The arguments get positively visceral, and understandably so when > viewed from the perspective of the people who are being un-DA'ed. > > For these reasons, "What do you mean I'm not a Domain Admin anymore" > conference calls are some of the most migraine-inducing exercises > imaginable, if you've never been through one. > > On Fri, Jan 9, 2009 at 12:10 PM, Gil Kirkpatrick <Gil.Kirkpatrick@quest.com> > wrote: >> >> I've seen that same situation when global NT4-based orgs migrated to AD >> without rethinking their administrative model. "We needed 250 DAs before, by >> God, we still need 'em." Some of that was due of course to the DAs being >> unwilling to relinquish their perceived control. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

NilsK

Posts:105

01/09/2009 3:33 PM
Joe, > It makes me nervous when I hear good to hear you say that. (Or, to stay literal, to read you write that.) After I closed my mailer yesterday I remembered some newsgroup etiquette that said "no public hints how to hack into AD". I feel more comfortable to obey that. Bye, Nils

beads

Posts:32

01/09/2009 3:53 PM
I had to stop myself from sending them to pen testers board. Obviously, I thought better of it. It would have been more cruel to see this end up in the "idiots corner". Brent Eads Employee Technology Solutions, Inc. The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Paul Bergson (ALLETE)" <pbergson@allete.com> Sent by: ActiveDir-owner@mail.activedir.org 01/09/2009 01:14 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] lock out of the AD I agree, I thought the same thing. Thanks Paul pbergson@allete.com (e-mail) pbbergs@msn.com (IM) From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: Friday, January 09, 2009 3:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD This whole thread kind of bothers me... Sort of like hacking AD 101. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda Sent: Thursday, January 08, 2009 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD We don?t have that capability. Is there any other way? From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Craig, Coleman Sent: Thursday, January 08, 2009 4:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD Do you have the Directory Services Restore Mode user and password? If you can log in then you could schedule a task\script or a runonce to re-enable the account once you reboot. I.e?. ?dsget user <dn> -disabled no? From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda Sent: Thursday, January 08, 2009 5:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD We don?t have any account that can logon to the DC servers other then the administrator which is disabled. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott Sent: Thursday, January 08, 2009 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD DCs don?t use the local SAM. The command you want is: At hh:mm /interactive cmd That will give you a cmd session from which to launch anything you want, including aduc.msc. hh:mm needs to be in 24 hour format. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda Sent: Thursday, January 08, 2009 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD Isn?t the local system account local and thus not able to run the ADUC? Can you send me the syntax command for AT? From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 08, 2009 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD Is there an account you can use to log into the DC, e.g. a backup operator or some such? If so, you can run the AT command to run ADUC under the local system account. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda Sent: Thursday, January 08, 2009 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD 2k3 enterprise From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 08, 2009 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lock out of the AD What version of Windows on the DC? From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda Sent: Thursday, January 08, 2009 3:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] lock out of the AD I inadvertently disabled the only AD administrator account that I have the password to. Is there a way to re-enable it. Message scanned by TrendMicro Message scanned by TrendMicro

listmail

Posts:824

aranda_a

Posts:29

01/09/2009 7:06 PM
I won't worry too much about a hacker using this information to break into and AD because pretty much none of your solutions worked. But we got it, thanks for all the suggestions. Antonio Aranda UT Premian Basin

beads

Posts:32

01/09/2009 7:42 PM
I don't remember seeing anyone actually link or post to a "hacker tool". An emergency admin tool, yes. Hacker (remote) tool, no. And yes, you see many a young mind or at least inexperienced person asking to learn "everything" about hacking to include root or administrator access. After reading enough of these you might get the feeling somehow, some of us may become (gasp!) a bit jaded. Brent Eads Employee Technology Solutions, Inc. The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Antonio Aranda" <aranda_a@utpb.edu> Sent by: ActiveDir-owner@mail.activedir.org 01/09/2009 06:01 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] lock out of the AD I won?t worry too much about a hacker using this information to break into and AD because pretty much none of your solutions worked. But we got it, thanks for all the suggestions. Antonio Aranda UT Premian Basin Message scanned by TrendMicro Message scanned by TrendMicro

sbradcpa

Posts:496

01/10/2009 2:11 PM
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> Google gives better info. ;-) joe wrote: <blockquote cite="mid:C810AF0212AF485D979B2C53A9BCF20F@test.loc" type="cite"> <meta http-equiv="Content-Type" content="text/html; "> <meta content="MSHTML 6.00.6000.16788" name="GENERATOR"> <style>@font-face { font-family: Calibri; } @font-face { font-family: Cambria; } @page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; } A:link { mso-style-priority: 99 } SPAN.MSOHYPERLINK { mso-style-priority: 99 } A:visited { mso-style-priority: 99 } SPAN.MSOHYPERLINKFOLLOWED { mso-style-priority: 99 } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } DIV.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman" } A:link { COLOR: blue; TEXT-DECORATION: underline } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline } A:visited { COLOR: purple; TEXT-DECORATION: underline } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline } SPAN.emailstyle1711 { FONT-WEIGHT: bold; COLOR: #000066; FONT-FAMILY: Calibri } SPAN.emailstyle191 { FONT-WEIGHT: bold; COLOR: #000066; FONT-FAMILY: Calibri } SPAN.EmailStyle19 { FONT-WEIGHT: bold; COLOR: #000066; FONT-FAMILY: Calibri; mso-style-type: personal } SPAN.EmailStyle20 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal } SPAN.EmailStyle21 { COLOR: #1f497d; FONT-FAMILY: Calibri; mso-style-type: personal } SPAN.EmailStyle22 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal } SPAN.EmailStyle23 { COLOR: #1f497d; FONT-FAMILY: Calibri; mso-style-type: personal } SPAN.EmailStyle24 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal } SPAN.EmailStyle25 { COLOR: #1f497d; FONT-FAMILY: Calibri; mso-style-type: personal } SPAN.EmailStyle26 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal } SPAN.EmailStyle27 { COLOR: #0f243e; FONT-FAMILY: Cambria; mso-style-type: personal } SPAN.EmailStyle28 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal } SPAN.EmailStyle29 { COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply } DIV.Section1 { page: Section1 } </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]--> <div dir="ltr" align="left"><span class="811121415-10012009"><font color="#0000ff" face="Arial" size="2">There was definitely enough information given for someone with moderate skill to break into an AD that they didn't own. I amnot saying every suggestion was correct or would work, but there was enough information. For the next trick, people can start discussing how to get Enterprise Admin if you have access to only a single writeable DC in a child domain.</font></span></div> <div dir="ltr" align="left"><span class="811121415-10012009"></span> </div> <div dir="ltr" align="left"><span class="811121415-10012009"><font color="#0000ff" face="Arial" size="2"> joe</font></span></div> <div> </div> <div align="left"> <div align="left"> </div> <div dir="ltr" align="left"><span class="625444604-27012006"><font color="#0000ff" face="Arial" size="2">--</font></span></div> <div dir="ltr" align="left"><span class="625444604-27012006"><font color="#0000ff" face="Arial" size="2">O'Reilly Active Directory Fourth Edition - <a moz-do-not-send="true" title="blocked::http://www.joeware.net/win/ad3e.htm" href="http://www.joeware.net/win/ad4e.htm">http://www.joeware.net/win/ad4e.htm</a> </font></span></div> <div dir="ltr" align="left"><span class="625444604-27012006"></span> </div> </div> <div> </div> <div class="OutlookMessageHeader" dir="ltr" align="left" lang="en-us"> <hr tabindex="-1"><font face="Tahoma" size="2"><b>From:</b> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a class="moz-txt-link-freetext" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Antonio Aranda <b>Sent:</b> Friday, January 09, 2009 7:02 PM <b>To:</b> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] lock out of the AD </font> </div> <div class="Section1"> <p class="MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; color: navy; font-family: Arial;">I won’t worry too much about a hacker using this information to break into and AD because pretty much none of your solutions worked. But we got it, thanks for all the suggestions.<o:p></o:p></span></font></p> <p class="MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; color: navy; font-family: Arial;"><o:p> </o:p></span></font></p> <p class="MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; color: navy; font-family: Arial;" lang="ES-MX">Antonio Aranda<o:p></o:p></span></font></p> <p class="MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; color: navy; font-family: Arial;" lang="ES-MX">UT Premian Basin<o:p></o:p></span></font></p> <p class="MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; color: navy; font-family: Arial;" lang="ES-MX"><o:p> </o:p></span></font></p> </div> </blockquote> </body> </html> List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

sbradcpa

Posts:496

01/12/2009 12:26 AM
First page has several great hits. A software kit for $295, to a blog post that details it out. joe wrote: > You still have to be able to sort through it. Lots of bad info too. > The info on this list is considerably filtered. > -- > O'Reilly Active Directory Fourth Edition - > http://www.joeware.net/win/ad4e.htm > > ------------------------------------------------------------------------ > From: ActiveDir-owner@mail.activedir.org > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley > Sent: Saturday, January 10, 2009 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] lock out of the AD > > Google gives better info. ;-) > > joe wrote: >> There was definitely enough information given for someone with >> moderate skill to break into an AD that they didn't own. I amnot >> saying every suggestion was correct or would work, but there was >> enough information. For the next trick, people can start discussing >> how to get Enterprise Admin if you have access to only a single >> writeable DC in a child domain. >> joe >> -- >> O'Reilly Active Directory Fourth Edition - >> http://www.joeware.net/win/ad4e.htm >> >> ------------------------------------------------------------------------ >> From: ActiveDir-owner@mail.activedir.org >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio Aranda >> Sent: Friday, January 09, 2009 7:02 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] lock out of the AD >> >> I won’t worry too much about a hacker using this information to break >> into and AD because pretty much none of your solutions worked. But we >> got it, thanks for all the suggestions. >> >> Antonio Aranda >> >> UT Premian Basin >> > List info : http://www.activedir.org/List.aspx List FAQ : > http://www.activedir.org/ListFAQ.aspx List archive: > http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

listmail

Posts:824

01/12/2009 8:38 AM
Ok, how about we don't validate it? -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm -----Original Message----- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley Sent: Monday, January 12, 2009 12:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] lock out of the AD First page has several great hits. A software kit for $295, to a blog post that details it out. joe wrote: > You still have to be able to sort through it. Lots of bad info too. > The info on this list is considerably filtered. > -- > O'Reilly Active Directory Fourth Edition - > http://www.joeware.net/win/ad4e.htm > > ---------------------------------------------------------------------- > -- > From: ActiveDir-owner@mail.activedir.org > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan > Bradley > Sent: Saturday, January 10, 2009 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] lock out of the AD > > Google gives better info. ;-) > > joe wrote: >> There was definitely enough information given for someone with >> moderate skill to break into an AD that they didn't own. I amnot >> saying every suggestion was correct or would work, but there was >> enough information. For the next trick, people can start discussing >> how to get Enterprise Admin if you have access to only a single >> writeable DC in a child domain. >> joe >> -- >> O'Reilly Active Directory Fourth Edition - >> http://www.joeware.net/win/ad4e.htm >> >> --------------------------------------------------------------------- >> --- >> From: ActiveDir-owner@mail.activedir.org >> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Antonio >> Aranda >> Sent: Friday, January 09, 2009 7:02 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] lock out of the AD >> >> I won't worry too much about a hacker using this information to break >> into and AD because pretty much none of your solutions worked. But we >> got it, thanks for all the suggestions. >> >> Antonio Aranda >> >> UT Premian Basin >> > List info : http://www.activedir.org/List.aspx List FAQ : > http://www.activedir.org/ListFAQ.aspx List archive: > http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

You are not authorized to post a reply.

Page 3 of 3

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] lock out of the AD

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads