[BBLISA] Join AD without Domain Admin password
Edward Ned Harvey
bblisa3 at nedharvey.com
Mon Oct 6 21:27:03 EDT 2008
Is there any way to join a Windows computer onto AD, without knowing the password of a Domain Administrator?
I ask because one of my users supposedly did it. None of the admins helped to join a fresh-out-of-the-box machine onto the domain, and yet it's on the domain. I asked the user about this, and the response was gruff and vague, "I'm smart... I didn't have any help... I only used my own password..." and exit the room.
I double-checked, and the user is not part of the domain admins group. I also double-checked, and my own "normal user" account is not able to join a machine onto the domain.
The way I see it, there are only two possibilities - (a) somehow a normal user can join the domain without any admin help, or (b) somehow one of the domain admin accounts was compromised.
Do I ...
(a) Simply talk to the manager and request that the user be fired. (and do all the necessary password resets, etc)
(b) (With manager present) Offer the user the opportunity to demonstrate this accomplishment without a domain admin pass, and then request for the user to be fired if it can't be repeated on another machine.
(c) (Without manager present) Ask the user to show me something cool that I've never seen before, that I didn't think was possible.
More information about the bblisa
mailing list