How much of a security threat is this?
Posted by ButtSnacks_@reddit | sysadmin | View on Reddit | 366 comments
Had a pen tester point out to us that we had our "domain computers" security group as a member of "domain admins". Likely was someone trying to get around some issue and did the easiest thing they could think of to get passed it. I know it's bad, but how bad is this? Should someone being looking for a new job?
Drink_Stock@reddit
How does this even happen?In what situation would you do this even as a "temporary" measure
saagtand@reddit
It's... bad.
Ixniz@reddit
This is honestly rebuild levels of bad.
Ok_Conclusion5966@reddit
Is your IT director Oprah?
You get admin, you get admin, you all get admin!
Boedker1@reddit
I’m sorry but what?
YungButDead@reddit
I feel sorry for the pentester having to experience that, and I feel sorry for me having to read about it.
PuzzleheadedArea3478@reddit
Probably made their day and he will still tell juniors in 30 years "about that one assessment".
YungButDead@reddit
It’s definitely a pivotal moment in their career: They’ll be telling this story to every customer as a warning…
SteveSyfuhs@reddit
Your entire environment is compromised. There is no recovery from this. You need to rebuild it from scratch.
I'm not joking.
Crotean@reddit
Third party full security audit to prove if there is anything compromised. Doubt they need to rebuilt from scratch. Unless that's cheaper than an audit.
SteveSyfuhs@reddit
No. An audit will not be enough. An arbitrary number of computers have had complete unfettered permissions to everything in this domain for an unknown period of time. There is no possible way you can guarantee it's safe.
Compromise of Domain Admin or a Domain Controller are and always will be points of no return. Since every machine in this environment is Domain Admin, a compromise of any single machine is a compromise of Domain Admin.
You can't walk back from that. Anyone that tells you otherwise is selling you something.
NebulaPoison@reddit
Not a Ssysadmin just a helpdesk guy subbed here, I'm guessing it's so bad it would be impossible looking at logs for an attack due to how long it's been + it's all pcs?
PuzzleheadedArea3478@reddit
There s just too much to look at.
There are countless ways of achieving persistence, some very obscure and hard to find.
You would have to 100% check every single computer.
If I was an attacker, I would just plant several different persistent methods on several different computers. There is no way you are going to find them all unless you have infinite money and time.
Suspicious-While6838@reddit
Hypothetically someone could delete logs and use that access over the whole domain to do a lot to cover their tracks though it would be very unlikely that an attacker could or would take the time to completely cover their tracks. The person you are replying to is being overdramatic in my opinion. Not that this isn't ridiculously bad security but without a single IoC assuming everything is compromised is a huge jump.
SteveSyfuhs@reddit
Well, I might be over-dramatic, or I might know a thing or two because I've seen a thing or two. Considering what my day job is, I'd be willing to bet it's the latter.
egamemit@reddit
going through various thoughts in my head on this, just for learning's sake since you asked:
just from the sheer scope of time that its been there its not realistic (i think it was said to be months).
it also assumes they have proper logging enabled and send it outside the domain where it cant be cleared, or that logging wasn't just disabled entirely on some pcs if compromised.
i think it's a fair assumption that if you're able to make this change without it being flagged, that proper logging or alerting isn't in place, among infinite other things.
the gut reaction is just turn everything off, but you have to go at this as if its been compromised, in which case turning things off may remove evidence (memory, running stuff, etc) for forensic analysis. the correct reaction is to call people to handle the situation and follow their instructions, its way beyond you now.
i have no idea what the size of this place is, but if they're getting a pen test done i assume there's some compliance or insurance requiring it. it will be in that report and they'll have to show they went to certain lengths to find out just how large the impact may be.
Just_Shitposting_@reddit
ohh an official “third party audit” 🤣
bohiti@reddit
It is certainly possible but I wouldn’t go that far quite yet. It’s possible this is a smallish company and/or have just gotten lucky to not have a bad person stumble on probably the worst internal security misconfiguration most of us have ever heard of.
They do need some deep infosec audit/analysis to confirm though.
SteveSyfuhs@reddit
That's wishful thinking and not reality. There is no way to reasonably guarantee it hasn't been compromised when DA is involved.
Suspicious-While6838@reddit
I don't think "Don't look into this further just tear down your environment and build from scratch" is ever really good advice though. Of course there's no way to say with certainty no compromise occured. But the risk of active compromise is something OP's business has to weigh against the cost of building from scratch. They can't do that without doing an audit to see if there are IoCs or other security holes to assess the likelihood of a compromise.
Just_Shitposting_@reddit
OP said it’s been this way for 9 months. I’d start looking for a new job immediately. All of North Korea are camping on his network.
SteveSyfuhs@reddit
There are times you can argue this point and there are times when you declare bankruptcy and say f-it. This is the latter. Every single machine in this domain, and likely forest, was granted the highest possible privileges in the environment for an unknown period of time. A single machine compromise over that period means the entire domain is compromised. In a world of shades of gray, this is black and white. You can bring in an auditor. What will they say? "Well, we don't see anything amiss". Is that a statement you trust the business on? What /else/ is going on in that environment that this went undetected so long? Nuke it, do it right, and thank deity you got lucky and ransomware didn't make an appearance.
Just_Shitposting_@reddit
I wouldn’t ever use a computer on that domain
Just_Shitposting_@reddit
Nah just remove domain computers from domain admins and head home early after lunch 🤣
Zerafiall@reddit
Ask the pen-tester to rate it for you. That’s their job. If they can’t assess the risk to you, then find a different one.
Wendals87@reddit
I'm sure they will when the pen tester stops crying
PuzzleheadedArea3478@reddit
Crying because the company will say "There is no need to fix this. It's internal only and we have a Firewall".
NSA_Chatbot@reddit
"We have to consult with Pantone to get a new color to describe the severity."
mirrax@reddit
Yeah, "My eyes! The googles do nothing!" definitely isn't your run of the mill Crayola color.
PhroznGaming@reddit
There's bad. There's worse. And then there is this.
ComeAndGetYourPug@reddit
The only thing that might've saved them is that it's such a stupid security hole that I feel like nobody would even think to try.
When would anyone try domain-admin-level tasks as a computer's local system account?
bobnla14@reddit
Me! I would, I would!!
Why?
MSP has the domain admins and will not give me the password to that. I have not pushed it as I've only been with the firm for 3 months. However, I did find out that there is a local admin on every laptop that I use to install software or printer drivers.
So I would definitely try and use the local admin to do a domain level task just to see if it would work. But I have over 30 years in the business and know that stupid stuff happens.
tobeonewiththesea@reddit
If an attacker is trying to do bad that’s the first thing they’ll look for no matter what machine they got ahold of.
DeadOnToilet@reddit
I’ve exploited this in three pen tests over the years. It’s unfortunately not uncommon.
ZombiePope@reddit
I think my favorite is one where auth users had generic write over domain admins.
kg7qin@reddit
Better than everyone or anonymous.
Chellhound@reddit
I... Wow.
Cheomesh@reddit
How would I? I would still need to know the machine's password, right?
-pooping@reddit
Would quickly be discovered using bloodhound
ZealousidealTurn2211@reddit
Not so stupid, by default anyone can see who is a domain admin so all they have to do is look to see who to try compromising.
stana32@reddit
Yeah, sometimes vulnerabilities are so ridiculously stupid nobody ever tries it. My old jobs sister company did building security for a narcotics manufacturing facility. Extremely strict regulations, constant audits, that kind of stuff. One time when digging around trying to fix their incompetence in creating like 50 IP conflicts, I discovered that the master password to their camera system was admin1234. By the grace of some higher power, no pentest ever caught it, and I asked all my coworkers to guess the password and nobody guessed it.
goshin2568@reddit
Bloodhound would find this in like 5 seconds though
checky@reddit
Yeah I was gonna say I wouldn't even have to finish importing the json before Bloodhound would start screaming 😂
VexingRaven@reddit
Because anyone can see the membership of domain admins, that's like the 1st thing you'd check.
charleswj@reddit
Apparently not if you work at this company 🤦
Cozmo85@reddit
They were trying to have the system user access a file share to run a script off the file server.
25toten@reddit
If you thought about it, they definitely have
Caleth@reddit
Yeah I've seen the shit users pull to do all sorts of things.
kg7qin@reddit
This is right up there with the domain administrator account being used by copiers for scanning to folders.
I once found this setup somewhere and it has been in place for years. It was the account setup on several Konica Minolta copiers for authenticating to the fileserver and storing the output of scan to folder.
Nobody knew how long it had been there (it was in place for several years and there long before me). When I brought it up you had thought the not me ghost was part of the system administrator team.
This was fixed and the password was promptly changed.
nfored@reddit
This comment made me happy. I have seen customers of mine out their management port directly on a public IP for their security device. I see it and have a mini heart attack and they are like ah well get to it eventually. One of those customer the attackers eventually was faster than their eventually and they got to experience an actual heart attack and days of no sleeping.
An once of prevention
Affectionate-Cat-975@reddit
Even DCs are not members of domain admins. It’s so bad.
Problably__Wrong@reddit
I'm honestly impressed.
planedrop@reddit
This is the correct answer.
Like WTF
saysjuan@reddit
theFather_load@reddit
Letterkenjendary
ehzorg@reddit
On the bright side, you can be reasonably sure your domain wasn’t compromised yet. The first thing a threat actor would do as domain admin is fix that gaping hole.
sexbox360@reddit
Would mean that the SYSTEM account on all PC's has domain admin, no?
fdeyso@reddit
Let’s say you create a scheduled task that runs as SYS , you can use PS to do whatever you want using that scheduled task. You don’t even have to be able to modify the task scheduler, just find one that runs a script and modify it.
KimJongEeeeeew@reddit
And of course we know that if there’s shit like that group membership stuff going on in their AD they’re not requiring scripts to be signed.
yummers511@reddit
To be fair the script signing is more of a formality and won't really prevent much unless you lock down a lot more
MrShlash@reddit
Wdym? It prevents a modified script from running unless it has been reviewed and signed by the sysadmin. It’s another security layer surely more than a formality.
Dtrain-14@reddit
Microsoft doesn’t even sign the scripts they give you. Can’t even remember the last time I got a script from a Learn document that was signed lol.
charleswj@reddit
There'd be no point to sign them
KimJongEeeeeew@reddit
It’s one of the layers of the onion.
grandiose_thunder@reddit
Mmmmmm onions
fdeyso@reddit
And fix/workaround scripts are deployed to locations where it doesn’t need admin to be modified.
KimJongEeeeeew@reddit
What is C:\temp?
ThatITguy2015@reddit
You found my secret dumping ground! Delete this!
Coffee_Ops@reddit
Let's say you have some dinky service that's using a virtual service account.
That also gets to be a demand admin.
No_Resolution_9252@reddit
Dont even need it to run as sys, could run it as network service
itspie@reddit
If you have local admin or local system privilege escalation you have domain admin.
HadopiData@reddit
This seems like the good answer. Although not a pretty situation, if users aren’t elevated (no access to SYSTEM), aside from already installed apps I fail to see how someone could abuse this
sexbox360@reddit
I don't fully understand how SYSTEM would authenticate against a domain for malicious activities.
It SEEMS bad but Im struggling to articulate why.
FatBook-Air@reddit
SYSTEM itself wouldn't really get anything. But anything authenticating as the computer object would get domain admin. Also: services running as, say, NETWORK SERVICE could authenticate to have domain admin.
IMO: if the domain is overall not showing signs of compromise and all users are standard users (not admins in any capacity), I would fix the configuration and move on with life. If users are admins, I'd consider paving over the environment over time.
charleswj@reddit
This is not true. Create a share that only a computer account has access to, then on that computer use psexec to launch a system session and connect to the share.
This is pretty bad security advice. It minimizes the former scenario and exaggerates the latter.
FatBook-Air@reddit
You sound like you have read more about infosec than practiced it at a workplace.
charleswj@reddit
Which part? The first is demonstrably true, so you must mean the second. What do you disagree with?
Fwiw I work for the vendor of the OS and help a number of the largest seat organizations in the world, who also happen to be the most attacked, by the most well-funded adversaries, defend their networks.
But I do read a lot about infosec as well so 🤷♂️
FatBook-Air@reddit
SYSTEM would not get any local domain admin rights. It would only be able to remotely authenticate as domain admin.
If all users are standard users, the Admin --> SYSTEM elevation path does not effectively exist without some kind of privilege escalation bug. For most users, that's a very high bar to meet.
If users are admin users, the risk profile is dramatically different. Simply running the wrong thing from the interwebs could immediately use the Admin --> SYSTEM path.
You can't pave over large environments on a whim every time you find misconfigurations -- even serious ones. Your job in infosec is to measure risk and threats. Your place of business, first and foremost, has to remain in business, and if you're resetting the environment every time you find something spooky, you will become a bigger problem than the data breaches you're trying to prevent.
marklein@reddit
I presume that the PC would automatically authenticate to the domain when doing anything as System. I mean, that's what computer accounts are for. It is an odd thought experiment though...
Ssakaa@reddit
It's mostly a hard thought experiment 'cause "dear gods, why? No."
mats_o42@reddit
system uses the computeraccount in AD. In other words it got a user and password ....
Can they be "borrowed" - yes ....
fdeyso@reddit
Does MS tell you how to borrow it? Also yes 😅
There is/was an article to do a certain task and the MS documentation literally showed you how to “borrow” the computer account, it didn’t say whay you did, but if you know you know, i called up our SOC in advance so they don’t sound the alerts.
Sketchyv2@reddit
It would be an easy privelege escalation assuming an attacker has local admin.
They could create a script that does *naughty stuff here* and make it run via scheduled task running as NT Authourity\SYSTEM.
As the local computer is automatically part of "domain computers", it now also a domain admin. This means that the computer account (running our malicious script), now has the ability to do pretty much anything on the domain. Other computers and servers also most likely add "domain admins" to the local admin group.
The only thing stopping a ransomware attack across all domain computers and servers is a decent anti-virus and the hope that users don't have local admin perms
sryan2k1@reddit
SYSTEM uses the computer object for authentication for all domain related stuff. It's how it downloads group policy as an example.
cpz_77@reddit
Even if they don’t have local admin. Stuff that runs under NETWORK SERVICE also uses the computer account to access network resources. I don’t think you need local admin to create a task running as NETWORK SERVICE?
Also someone with delegated rights to manage IIS could run an app pool with the AppPoolIdentity and that will also use the computer account for network access.
There are a ton of ways this could be exploited.
Overlations@reddit
Every user can add up to 10 computer accounts by default. If you havent changed that (and it usually isnt very high on the priority list), any lowpriv user can just add computer account then use that.
Also local privilege escalation usually isnt huge problem for threat actors, there's always some vulnerable driver, service etc
Ok-Bill3318@reddit
Yup.
Ok-Bill3318@reddit
It turns a local exploit into domain admin. And plenty of PCs ship from the vendor with exploitable shitware pre installed.
jdptechnc@reddit
I wish I could downvote this incredibly naive take 100x
HadopiData@reddit
It’s not naive if users don’t have local admin
Ok_Initiative_2678@reddit
Only if you are also naive enough to believe that privilege escalation attacks are super rare or something.
Nothingtoseehere066@reddit
Escalating to run as system on any compromised workstation is child's play even without admin. It is incredibly naive and this is a HUGE risk. It won't be the source of compromise but once compromise occurs it is a wide open door for escalation and pivoting
GnarlyNarwhalNoms@reddit
Depending on the monitoring software on each endpoint, though, this could mean that a user has an unlimited amount of time to mess with it and potentially gain access, though.
In other words, if they were trying to hack the DC itself, that would set off alarm bells. But working on getting elevated privileges on the workstation is typically not going to be noticeable, right?
Ssakaa@reddit
At least privilege escallations are super unheard of on Windows, right?
mirrax@reddit
...right...
PAXICHEN@reddit
Reminds me of when I was in audit and came across a POC AML system with really recent prod data where the EVERYONE identity was in the SQL sa role. Thank you Big 4 consultants.
sryan2k1@reddit
Yes, that would be correct, as SYSTEM uses NT Authority\Network Service for network activity which in turn uses the computer object.
simulation07@reddit
Translation: time to worry!
Advanced_Day8657@reddit
That's very bad
RoundFood@reddit
I don't think I have ever even envisioned this. It's only now that you've mentioned it that my mind has started to think about the implications of it. It's so bad that I've never even though of it being a thing.
Just_Shitposting_@reddit
They haven’t looked at Administrators yet 🤣
noncon21@reddit
Do yourself a favor, download purple knight; run a scan and start fixing shit yesterday
Just_Shitposting_@reddit
Thought you were gonna say download your resume
Wyld_1@reddit
This is the type of thing you need to rip off the band-aid and deal with the consequences. Use that report that the pen tester produced and get some traction with management. Be honest. Something is gonna break that was done incorrectly. The other commenters are correct, this is potentially a business ending event waiting to happen.
Just_Shitposting_@reddit
If that happened to a company I worked for, I’m out. There’s no recovering from this. The environment is cooked, the team is cooked, the CTO is cooked. OP said it happened 9 months ago 🤣
p90rushb@reddit
chmod -R 777 ./*, but your whole orgJust_Shitposting_@reddit
If only they had some Linux machines 🤣
MtnMoonMama@reddit
Yes. Bad. Very bad. Fix it ASAP.
Just_Shitposting_@reddit
He meant to say fix your resume ASAP because you need to start looking for a new job immediately. This is a terrible company.
AboveAverageRetard@reddit
Find a new company to work for bro. This should never happen and obviously your co-workers or CTO don't give a shit.
Just_Shitposting_@reddit
I’ve said the same thing in this thread. It’s a clear red glad for this organization.
_araqiel@reddit
Oh. My. God.
ButtSnacks_@reddit (OP)
I'll try to give full disclosure without outing myself just in case someone from my department is reading this: this was definitely not me, but another sysadmin. I don't know who yet, but I have the timestamp of when it was done -- almost 9 months ago, so no event logs on the DCs that I could find. If someone knows how to find out the who it would be greatly appreciate it.
ExcitingTabletop@reddit
lol, those logs are as trustworthy as gas station sushi.
You should treat everything as compromised, but guessing that won't happen.
EggShenSixDemonbag@reddit
this is just wrong...the event logs are the most accurate logs your going to get.
Just_Shitposting_@reddit
Found who did it right here ⬆️
Coffee_Ops@reddit
Everything and everyone having domain admin on everything and everywhere means you can't really trust anything.
I don't know that I've specifically heard of anyone tampering with Windows event logs, but there's nothing magical about them that would stop you with that level of permissions.
ExcitingTabletop@reddit
lol
here's the code to delete entries. It relinks everything.
https://github.com/3gstudent/Eventlogedit-evtx--Evolution
"but that's deleting evidence, not changing it!"
Yeah. Changing has been easy forever. Just use a hex editor, change the data you want to change. The "tricky" part is remembering to generate a CRC32 checksum of first 120 bytes of the header + the bytes between 128–512, and paste that over the original. If you add new sections, remember to regenerate the file checksum.
The powershell for generating the CRC32 is:
# For a string
$stringToHash = "This is a test string."
$bytes = [System.Text.Encoding]::UTF8.GetBytes($stringToHash)
$crc32 = [System.IO.Hashing.Crc32]::Hash($bytes)
$crc32Hex = "0x{0:X8}" -f $crc32
Write-Host "CRC32 of string: $crc32Hex"
I winged that pretty quick so double check it yourself before running.
https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc
Here's the formatting info, if ya want it for ref when using the hex editor and you really will want it handy for adding new sections. Honestly I mostly am looking for cleartext so I typically don't need it. Lemme
Then use the link above to nuke the Service Control Manager Event ID 7035 that gets generated. If something is process monitoring, obviously take care of that separately.
There you go, everything you need to manipulate or delete from the "most accurate logs your going to get."
This is why you use SYSLOG server and keep it secured separately from everything else.
Sobeman@reddit
found the guy who did it
Just_Shitposting_@reddit
You need to start looking for a new job immediately. While not your fault, this is a literal meltdown. This is not a serious company, it’s not led by serious individuals, and the risks associated with this are insane. Move on quickly.
geegol@reddit
Anything that is done in Active Directory will be logged and tracked in event viewer I’m pretty sure on the particular DCs the objects exist on.so if there is no log, then they may have rotated or someone cleared the logged…… I don’t know how long event viewer logs stay around for but it’s a start. If you’re using event viewer for logging and not an EDR, then you’re in deep trouble. I know some EDRs can be setup to log AD activity. Like if someone is added to the domain admins group. The funny part about this story is all computers were added to the domain admins group. Why not implement LAPS? LAPS would have solved whatever situation they were probably running into.
MushyBeees@reddit
By no event logs. Do you mean literally no event logs from this time? Or just none that you could find?
A starting point I’d guess would be the TS event logs, to see what IP/computer logged in around the time of the incident.
Some of the DFIR guys might be better equipped to assist here.
onewithname@reddit
Depending on your backup strategy restoring DC in isolated environment might help you recover those logs and go from there.
But with this situation, the "backup strategy" for all we know might be Ctrl+C on c:/windows to desktop... 🤷♂️
Not throwing shade or trying to diss, but this looks really bad. Wish you the best and hope you can manage to get some answers!
sa_wisha@reddit
No need to restore the whole DC, etl Eventlogs are sufficient.
fdeyso@reddit
Do you have AtP/MDI?
Cheesqueak@reddit
ZombiePope@reddit
That's REALLY FUCKING BAD.
Legitimate-Break-740@reddit
It means if a single computer gets compromised, the attackers will immediately gain domain admin. You tell me how bad that is.
Just_Shitposting_@reddit
If? If someone did this, there are probably 100 other holes and they’ve had a team camping out for years
Just_Shitposting_@reddit
You’re going to have to start all over. New domain, wipe and reimagine all computers. Sorry man that’s really bad. I’m sure a team is hanging out on your network.
tobographic@reddit
You're the one that needs to be looking for a new job dude, get out while you can.
JameEagan@reddit
Here's what GPT 4.1 had to say 😂
That misconfiguration is extremely bad—as in full domain compromise bad—but whether someone should be fired depends on intent, context, and company culture.
🔥 Why This Is a Critical Risk
Adding “Domain Computers” to “Domain Admins” means: • Every computer account in Active Directory now has full administrative privileges across the domain. • Any attacker that compromises a single computer (even just local SYSTEM) can elevate to full Domain Admin instantly. • A standard user with the ability to join a computer to the domain could potentially create a new computer object and inherit Domain Admin privileges from it. • This grants machines (and potentially users via token leakage or delegation) unintended write access to domain controllers, GPOs, and more.
💀 Real-World Consequences
If an attacker gained access to any domain-joined machine: • They could extract machine credentials from LSASS. • Use Pass-the-Hash or Pass-the-Ticket to impersonate that computer. • Leverage that to become Domain Admin without ever needing to phish or escalate a user account.
This would be considered Game Over in any serious environment.
⸻
🧑💼 Should Someone Be Fired?
That’s a leadership and culture question, not just a technical one. Consider: • Was it a junior admin making a bad call under pressure? • Was there a culture of “just make it work” without proper peer review or change control? • Was this change logged or documented at all? • Has this been exploited?
If it was an honest mistake or a bad judgment call to get something working quickly, then it’s a chance to improve processes, not necessarily punish people. On the other hand, if someone knowingly did this and then tried to hide it, that’s much more serious.
⸻
✅ What You Should Do Immediately 1. Remove “Domain Computers” from “Domain Admins” immediately. 2. Audit who made the change (check AD modification logs or use auditing tools like Netwrix, ADAudit Plus, or even Event Viewer if configured). 3. Assume breach: check logs for lateral movement, elevated access from machine accounts, etc. 4. Force machine account password resets (Reset-ComputerMachinePassword) and consider rotating domain admin credentials. 5. Conduct a post-mortem and implement: • RBAC review • Tiered admin model (Tier 0, 1, 2) • Better change management and peer review • Logging and alerts for privileged group modifications
⸻
🔐 TL;DR
Severity: 10/10 Likelihood of compromise: High if not already exploited Firing offense? Maybe—only if it was knowingly reckless or malicious.
But more importantly: fix it now, then build a culture and process that prevents it from happening again.
behemothaur@reddit
Am thinking if you have a proxy server that’s got the same privileges it should be someone’s job…
MixIndividual4336@reddit
it’s the security equivalent of removing your car’s brakes because they made that annoying squeaky noise.
zymology@reddit
psexec -i -s cmd.exe
Accomplished_Sir_660@reddit
Its bad enough that it should have been resolved, YESTERDAY.
Top-Yellow-4994@reddit
nah, yesterday is too late
mr_data_lore@reddit
It should have been resolved before it was done... by firing whomever did it before they did it.
dlucre@reddit
Honestly I'm surprised there's no guard rails in active directory that straight prevents things like this from happening in the first place. I realise it shouldn't be needed, but I cannot fathom a reality where this configuration is ever valid.
the_marque@reddit
I mean AD is from a different era when admin means admin and admin means you know what you are doing.
the_marque@reddit
I mean probably, but... you did fix it already, right? Right?
A competent pen tester would flag this issue immediately (I don't mean including it in a final report) and a security conscious sysadmin would fix it immediately (I don't mean via change management).
Whether to go on a witch hunt is a management decision for later.
Crouching_Dragon_@reddit
Document everything in your purview. This is pretty dire.
i-heart-linux@reddit
Lmao
TheBlackArrows@reddit
My life was better before I read this. Marginally, but still.
noisywing88@reddit
this is honestly impressive, never crossed my mind that this was even a possibility
halofreak8899@reddit
What kind of position do you have to be in to even try this maneuver?
ImFromBosstown@reddit
😂😂😂
halofreak8899@reddit
If there are more than 3 computers at your job then yes.....that is very motherfucking bad. Bafflingly stupid.
Dry_Common828@reddit
Hey OP, it's time for your incident response team to get to work.
Ethicstest@reddit
Can you audit and find out who did that and maybe ask them?
moffetts9001@reddit
This has probably been in place longer than any paper trail would exist. In other words, years.
sryan2k1@reddit
Let's be real, any org that let that happen doesn't have any kind of auditing.
GuardiaNIsBae@reddit
It’s one admin account shared between 37 people so good luck tracking it down
dedjedi@reddit
Exactly. If this happened, there are hundreds of other holes
ExcitingTabletop@reddit
Scheduling an exorcism would be a good idea as well.
Recent_Carpenter8644@reddit
What are the chances that someone who would do that would remember they did it?
Recent_Carpenter8644@reddit
Is it possible that this is the result of an exploit, rather than someone trying to make something work? Eg rather than creating a domain admin that could be easily discovered, make a change people don't look for.
Suspicious-While6838@reddit
Not impossible but I think it'd be unlikely. There would be better ways to try and fly under the radar and honestly this is more likely to set off alerts than adding a more limited group or like a compromised service account. It also seems like it would be harder to exploit than a regular user account since you would have to entirely compromise at least one workstation or server to exploit it.
On the other hand I can think of lots of issues that this would resolve and have met a lot of people who are stupid enough to do this.
Recent_Carpenter8644@reddit
That's reassuring.
The people I know who would do this are just disorganised enough to forget to remove it again 2 minutes later like they intended.
ehextor@reddit
Well, that's a first one for me. Stunning level of stupidity. Is your DNS placed in DMZ too?
DDHoward@reddit
Can you ELI5 why placing a DNS server in the DMZ is a bad idea?
Ron-Swanson-Mustache@reddit
Yes, it was the only way to let our remote workers RDP in. We put everything in DMZ.
ehextor@reddit
So true, managing filepermissions is a hassle too. I always just set Everyone -> Full Control and walk away
Ron-Swanson-Mustache@reddit
Yeah, we had pushback from senior management on MFA. So we got rid of that crap.
Kinglink@reddit
Is 8.8.8.8 in the DMZ? I'm not sure, I'll check.
robotbeatrally@reddit
Yes, is that a problem?
.
.
.
jk jk
Practical-Alarm1763@reddit
https://i.redd.it/j5hc6a9cs5cf1.gif
Able_Winner@reddit
Omg... 🤦
DonDuvall@reddit
Oh my god.
nanonoise@reddit
wow, just wow. and my day now seems a hell of a lot easier.
good luck buddy. I hope the someone who did that is also not a person claiming to have any sort of cybersecurity skills at all.
IT_audit_freak@reddit
Outlook not so good.
Thorlas6@reddit
If a bad actor gets access to ANY machine in that group, which is literally all domain joined machines. They have domain admin rights by using the computers system account.
This is critical, remediate IMMEDIATELY.
LinksLibertyCap@reddit
bojack1437@reddit
Well that's a new one for me......
Afraid_Suggestion311@reddit
I’ve seen horrible things, but never this
Cormacolinde@reddit
I’ve seen Domain USERS in Domain Admins, which is admittedly worse.
Afraid_Suggestion311@reddit
I’ve seen a situation where self service password resets are disabled and all users were instructed to login to the admin dashboard with a SHARED global admin account to reset their passwords..
Fallingdamage@reddit
This is why I'm against an IT union. It only helps admins this stupid stay in their jobs easier.
Nova_Aetas@reddit
Unions are often the most effective for labourers doing the same work.
We are all so drastically different on all counts it would be very hard to effectively unionise.
Cormacolinde@reddit
An IT guild might be better, like engineers and architects have in some places.
ProfessionalITShark@reddit
Guild union, protect workers, but shoo out clowns. A business can choose to have someone work without them being in a guild...but..
clowns.
malikto44@reddit
It just means the jobs are offshored, and admins in another place who are just as stupid, but because they are contractors, they are stupid and don't care, so the same thing. In general, FTEs have a stake in a company. Contractors only care as long as their gig keeps going.
Again, this is a generalization, but I've found it valid.
DueBreadfruit2638@reddit
Wait, we're not on /r/ShittySysadmin?
Holy.
EggShenSixDemonbag@reddit
I feel like your making this up.....Why even have a domain at that point?
ThatITguy2015@reddit
Oh. Ok, I stand corrected. It can get worse than all domain users being DAs.
Rawme9@reddit
I am honestly awe-struck at how awful this is. How in the world did someone even stumble upon this as a solution without raising 500 red flags
ThatITguy2015@reddit
I’d hope it was a small family shop with a sole IT crew who is finally getting help. The previous person didn’t understand security or AD and did what they thought worked. Probably started as someone “who knew computers well”, but never advanced their knowledge beyond that. I’ve seen that happen before, but never to this degree.
Afraid_Suggestion311@reddit
750 employees unfortunately
ThatITguy2015@reddit
https://youtu.be/rFeVfwDvTyM
HeKis4@reddit
Bruh why would you even reset your own password when you can just use the domain admin account ?
Cormacolinde@reddit
That’s quite something. I’m flabbergasted. What was the logic behind this?
Afraid_Suggestion311@reddit
People were apparently complaining that they needed to provide a form of verification when resetting their password (sms, secondary email, etc) so the sysadmin just decided to cave in do it like that.
Still makes no sense to me.
jakendrick3@reddit
Part of my job involves evaluating existing single office setups, I've seen this multiple times. Common staff password as well for these accounts
Crotean@reddit
Honestly this might be worse than cause of how many automated processes use system, you just need one worm on any computer in the environment to take full control of it. With users you have to get a compromised account or a user doing something extraordinarily dumb to take the entire environment down.
cpz_77@reddit
I think it’s pretty close. DU in DA is probably slightly worse because it would be slightly easier to take advantage of but then again DC being in DA may lead to an issue that is a little harder to detect since accessing network resources with computer accounts isn’t really the “norm”.
Both are very, very bad though.
ThatITguy2015@reddit
I’d argue the users is worse, at least from what I’ve worked with. The users are the ones that would pwn us far more often than malware being installed into the environment somehow.
I could be persuaded to go either way potentially, but I’m leaning on domain users being the worst for now. (Behind the global admin thing.)
ThatITguy2015@reddit
It isn’t just admittedly worse, that is (unless I’m missing something even more terrible) the worst thing you could do hands down.
skotman01@reddit
I’ve seen that before too. They had exchange so ran a script every 15 min to reenable inherited permissions on all users so active sync worked.
I’ve also seen domain users in all local administrators group. That got switched to interactive pretty quickly when I discovered that so I could stem the bleeding while I figured out Wtf they did that for.
d3rpderp@reddit
Your organization is what ransomware groups call 'juicy'
DDHoward@reddit
Well, this is a résumé-generating-event if I've ever seen one...
eatfesh@reddit
“What not to do in your Active Directory environment” by Butt Snacks
dmuppet@reddit
This is like going to an Ebola convention without a safety suit. Idk. This has to be one of the craziest posts I've ever seen.
SukkerFri@reddit
I need to understand this... Your computers/devices have all been added to the Domain Adminstrator group? But thats devices added, not users. What happens then?
SukkerFri@reddit
Nevermind, just figured it out. SYSTEM getting Domain admin rights = bad :)
Humble_Wish_5984@reddit
That's true but SYSTEM does not have a Domain ObjectSID. I don't know what it would be able to do. It could be wide open or not actually usable. At minimum it would expose the potential for elevating accounts, significantly. I might be tempted to build a lab setup to see.
ClericDo@reddit
It can perform actions using the machine account associated with its AD computer object
Fusorfodder@reddit
This is justified scream test bad. Fix it and let whatever break.
mousebluud@reddit
You should all be looking for new jobs lmao
macgruff@reddit
Depending on how a large your company is, and licensing level, you can ask Microsoft to do a review and make recommendations. One would be to use a top level GPO that uses “Restricted Groups” so that only the correct recommendation of groups for each type of objects are always applied. Someone put the wrong object type into Domain Admins, either by accident or stupidity? Within X number of minutes (I think it was 90 min) the group pops right out.
BIG_FAT_ANIME_TITS@reddit
It's something.
HowdyBallBag@reddit
Yikes
ImAllergic2Peanuts@reddit
Whoever did that should not be a sysadmin lol
No_Resolution_9252@reddit
That is beyond bad.
PurpleCableNetworker@reddit
Might as well had “authenticated users” as a domain admin group…
scoopsofsherbert@reddit
My current company I work for has every user added to the local machine admin via GPO. You can create a least privileged user account and they even have admin access to the domain controllers. It's a giant mess. I've pointed out how dangerous this is to our IT Director and he said it's not a big deal. How can I anonymously get my company audited? It is driving me insane.
Then-Chef-623@reddit
Is this r/ShittySysadmin?
Signal_Till_933@reddit
This the kinda shit that had me fuming when I was stuck in helpdesk and other ppl are out here doing this shit, and getting paid for it.
PoliticalDestruction@reddit
Ever had to explain a basic concept like DNS or AD replication to an engineer with like 20 years more experience?
Like shouldn’t YOU know that Mr “I worked at Microsoft for 10 years” engineer??
Literally had an 20+ year experienced engineer get confused why he added someone to a group, changed his DC to another in a different data center and was wondering why the person wasn’t there immediately. Like dude that colo is on the complete other side of the country and our replication time is like 5 minutes.
All while he was probably being paid 3x what I was getting paid.
d00ber@reddit
I'm consulting with a "Systems Architect" with 30 years of experience today and explaining how certificates work and it's one of the most painful things that I've ever experienced. " YEAH YEAH! I know how certs work! " ... No, you really don't.
Not even a basic understanding.
Squossifrage@reddit
"What's there to understand? You take a class, maybe they give you a test, then you're issued a certificate."
1cec0ld@reddit
Certificate Authority? Like Pearson?
reserved_seating@reddit
I don’t think they mean that kind of certificate.
ThatITguy2015@reddit
Yea, clearly we’re talking about the paper you get when you buy authentic merchandise.
reserved_seating@reddit
renrioku@reddit
That was the joke...
reserved_seating@reddit
Yeaaaaah, I got super whoosed.
ButtSnacks_@reddit (OP)
Wow, this sounds painfully familiar. We might have worked with the same guy.
Reseng9541@reddit
I was just about to link your post lol
PoliticalDestruction@reddit
Can confirm I’ve worked with the same person too
ThatITguy2015@reddit
Only 5 minutes? What the fuck black magic are you guys using? Ours can take a lot longer than that.
PoliticalDestruction@reddit
How do you live with replication greater than 5 minutes?
We once had a backbone go down and were on the massively smaller backup line that was throttled to hell and it was causing weird password sync and account lockout issues since replication was delayed
ThatITguy2015@reddit
We just kinda deal with it. Usually it isn’t too bad, but it can sometimes take much longer than 5. I think 30 or so has happened a few times.
PoliticalDestruction@reddit
30 minute replication would probably take down some of our legacy apps lol. But instead we just restart them every day instead of fixing it
g0del@reddit
I've known so many otherwise very competent sysadmins who don't understand the basics of DNS, I kind of just accept it now. And I'm not talking about having trouble with things like DMARC or DKIM (which are arguably more email than DNS), but basic misunderstandings of CNAMES or the role of the serial number in BIND replication.
Gold-Antelope-4078@reddit
Master of BS goes far.
EggShenSixDemonbag@reddit
ah damnit, Im in the wrong place...
MrD3a7h@reddit
Honestly, the subs are indistinguishable most of the time.
iamLisppy@reddit
No this is Patrick
RickRussellTX@reddit
Hi Patrick, I’m Dad
CharacterLimitHasBee@reddit
But I thought I was Dad
ThatITguy2015@reddit
Only if you found your cigarettes.
Happy_Kale888@reddit
It will be soon....
Ethicstest@reddit
r/subsithoughtifellfor
Ssakaa@reddit
Oh no, that one's real, and it's spectacular.
RedBoxSquare@reddit
Sounds like a boss who doesn't have too much knowledge deciding on whether to fire the sysadmin.
Historical_Score_842@reddit
The crossover we didn’t need 🫣
DarkwolfAU@reddit
LOL, I'm having a little trouble thinking of something that's worse than that. Maybe putting Authenticated Users into Domain Admins? Only a little bit worse :D
hinjew13@reddit
I just had a panic attack reading this
EggsInaTubeSock@reddit
DA in 1 move
heff1499@reddit
Thats not great
Some clown at my work gave "Everyone" "Act as part of the OS" on domain controllers where I work years ago and nobody noticed until I started.
Just log a change and get it fixed, its what pentests are for :)
ingo2020@reddit
If you need Reddit to answer these questions, you should be the one looking for a new job. Any sysadmin worth their salary should be able to intuit both the fact that this is a massive security issue, and why it's a massive security issue.
hakube@reddit
burn the whole thing down and start over. your environment is likely compromised in one way or another.
ryobivape@reddit
Someone should DO their job lol
Bamboopanda741@reddit
That’s about as bad as it gets
geegol@reddit
That’s a security issue waiting to happen.
JBusu@reddit
Wtf...... How......
My god that would be on the spot firing. I'm trying to think of a rational way that would be required, disregardeing from a security perspective.
Civil_Street_1754@reddit
https://www.reddit.com/r/ShittySysadmin/s/ptQxuJHn8q
SnakeOriginal@reddit
This is a joke right?
coldwives@reddit
Now the fun part is finding out what other shit they’ve been up to
ugus@reddit
lol
djgizmo@reddit
jfc. the sysadmins should retire.
lebean@reddit
Yes, if I were the IT manager at a company where this issue were found, and we could find the person who did it, it would absolutely fire that person with zero hesitation. That person is a danger to any system they touch and there's no hope for redemption for someone stupid enough to set that up in AD.
No_Vermicelli4753@reddit
What the fuck did I just read.
ImFromBosstown@reddit
😂😂😂
larion8989@reddit
You gotta be trolling right? :D
come_ere_duck@reddit
"someone" should be looking for a whole different career path. In any of the roles i've worked Domain Admin is reserved for senior IT staff who know wtf they're doing and handing that out willy-nilly is a pretty surefire way to ensure you don't stay in the job for too long.
LBarto88@reddit
Very bad. Sorry.
mkosmo@reddit
It's worse than you're imagining. Much worse. It's a sev 1 cyber incident bad.
ThatITguy2015@reddit
It’s only that bad when you know it exists. Just sweep it under the rug and tell nobody else. Sev 1 incident solved!
Kinglink@reddit
How do you think I get all my Sev 1s to disappear. And you can expense your amnesia pills to the company too!
ThatITguy2015@reddit
Pills? I just keep my amnesia juice in a desk drawer. “That was drunk me. If you want to talk to him, he’ll be here in 12 ounces.”
Kinglink@reddit
The problem is not yourself, the problem is the Managers who know about the Sev 1.
Caleth@reddit
I see you to have gone to the corporate school of IT training. "Can't this wait until next quarter it'll effect my bonus?!"
Embarrassed_Crow_720@reddit
Domain admin for everyone!
No but seriously, this needs to be fixed now
troll_fail@reddit
Tell me you do zero access control reviews without telling me you do zero access control reviews.
lungbong@reddit
Undoing this will be interesting because it was probably done for a reason and undoing it will likely cause something to break, hopefully minor but who knows. Then there's how long can you really leave it like that, ideally you need to rebuild and start again because who knows who's found out about it and done something. Sure it could just be a user that's granted them access to something they wouldn't normally have or found a way to skive off but someone could've done all sorts of stuff and created themselves some additional back doors.
I once worked at a company that used Citrix and Winterms everywhere in my building, they assumed no-one would ever plug a real PC into the network. I was promoted to web developer for the Intranet and because it was a FrontPage managed site (showing my age) I needed FrontPage installed but they couldn't work out how to make it work on Citrix (the previous dev was based on a different location which didn't use Citrix) so they gave me a PC. I was amazed to find that I had admin access to Lotus Notes, Citrix and a bunch of other stuff because they'd screwed the permissions up that badly. This is also the same company that had a domain admin account called backup with the password backup.
Ron-Swanson-Mustache@reddit
What in the cinnamon toast fuck?
Kahless_2K@reddit
This is something I would tell the manager we need to just fix now, see what it breaks, and figure out from there.
1TRUEKING@reddit
How did it take pen testers to figure that out. Should’ve been figured out way before that lmao what…
poopmee@reddit
I think this has to be in the top 3 worst configurations. I usually hear about companies giving all users local admin access, but domain admin?? This is so bad that if I were a bad actor I’d apologize for trying to steal your information and give it back!
satibagipula@reddit
Local admin access is actually fine if your overall configuration allows it. I used to work for a trillion-dollar company where most people had local admin, but every single system they interacted with was read-only and web-based. If anyone had access to a system where they could actually do stuff, they were not local admins. If anyone needed to have access to systems where they could change stuff for customers, they had a PAW with a smart card.
AV4LE@reddit
martinfendertaylor@reddit
Has anyone tested this to see exactly what the implications are? Without speculation? It might be nothing or it could be something.
cpz_77@reddit
Omg lol yeah that’s like…really really bad. Means anything that uses the context of any computer account in the domain to access network resources - which includes any services running as LOCAL SERVICE, NETWORK SERVICE or LOCAL SYSTEM as well as any IIS app running as the AppPoolIdentity, will all have full DA right across the domain. That means if any single workstation or server is compromised in any way they basically immediately have full DA access.
I have no doubt someone did it to make something work, not realizing the consequences. But yeah, that’s actually one of the worst examples of that I’ve heard in a long time. Whoever did that should probably at a minimum have their DA rights pulled and just delegate them what they need to do their job (ie they shouldn’t have rights to manage the membership of domain admins group).
formerscooter@reddit
I can't even wrap my had around why someone would think of this. I can at least understand some bad decisions, like my last job, sysadmins (before me) just made everyone local admins rather then fix the problem; but this, I can't even come up with a reason why this was the 'easy fix'
Ok-Bill3318@reddit
That’s horrifically bad
unreasonablymundane@reddit
Wow! I would consider the domain compromised and start running the disaster recovery plan. Anyone with a domain joined machine could have done anything to the domain.
Wendals87@reddit
Plot twist. Adding domain admins was their disaster recovery plan for a previous issue
bitslammer@reddit
https://i.redd.it/jgfvmoot03cf1.gif
All I could think of...
Wendals87@reddit
When I worked in the help desk for a bank, all the service desk staff had domain admin.
It did get changed after a few years that I was there but I am very surprised that nothing bad happened
d00ber@reddit
Once when I first started working with an older company during the onboarding the person in HR was logging into the domain controller to reboot it cause she was having issues logging in. I knew right then and there, that whole job was going to be fucked.
ThatITguy2015@reddit
Wow. Whenever I think the place I work for is behind on things, I’ll instantly remember a few stories from here. Particularly this one.
25toten@reddit
GnarlyNarwhalNoms@reddit
Bahaha first thing I thought of
SikhGamer@reddit
Never seen a pen test worth it's salt.
RedWarHammer@reddit
By default, anybody in a domain can join 10 computers. There's an impacket example that let's any of those authenticated users create an arbitrary computer account with a password of their choosing. That computer account then could be used to compromise your whole domain. Probably 2 minutes of effort and one valid user account would be game over. Did the pentester not dcsync your domain?
x534n@reddit
I can't think of any reason somebody would ever do this. I have never seen it done. I thought making users local admins was bad enough, this is next level.
twitchd8@reddit
LMAO! I found a similar situation... Every user was admin in our domain when I first started there... About a year prior, there was a massive data loss incident, and they were still reeling... It was basically Oprah Winfrey going around like "YOU GET DOMAIN ADMIN, YOU GET DOMAIN ADMIN, AND ALL OF YOU GET DOMAIN ADMIN!"
Feisty-Shower3319@reddit
Hey, where do you work at? ; )
zazbar@reddit
The admin is inside the computer.
Feisty-Shower3319@reddit
You might be looking for a job if you don't fix this!
Adventurous_Ad6430@reddit
Holy shit
Adventurous_Ad6430@reddit
And yes new job worthy
Sneeuwvlok@reddit
Yikes
Naznac@reddit
time for a scream test... remove it and see who starts swearing that something doesn`t work
MushyBeees@reddit
Terrifying, is the answer. Top tier panic.
iamLisppy@reddit
OP: could you update this thread sometime later with what happens when this gets fixed? We all would love to know :)
God bless.
Globgloba@reddit
Lol 🤦🏻♂️😅
anotherteapot@reddit
I'm going to be honest with you - I mean no disrespect.
If you had to ask this question, you don't know enough about the systems you are managing. Please learn more about Active Directory, you really need to understand the permissions model very well in order to avoid situations like this. Use this as an opportunity to identify the gaps in your knowledge that led you to ask this question, and learn about those gaps. It will help you with not just this issue, but many others as well, and broaden your skills and capabilities in a meaningful way.
To answer your question, along with others here, this is bad. Almost the worst. Anyone on any PC in your forest can do whatever they want with your domain as admin.
bingle-cowabungle@reddit
Oh no someone came to a sysadmin subreddit and asked a sysadmin question, that means they're incompetent and should go straight back to the help desk.
Nexzus_@reddit
Just trying to think what issue that could solve.
Maybe something in PDQDeploy or LanSweeper, or some custom Remote Management software built by a 17 year old nephew who 'knows computers'
Fart-Memory-6984@reddit
Makes it easy if one machine is compromised to do the lateral attack
Gummyrabbit@reddit
Next you’ll tell us for ease of remembering passwords, everything is set to “Password123”!
GnarlyNarwhalNoms@reddit
"Guys, is this ticking clock attached with wires to a bundle of dynamite a bad thing?
Guys?"
notHooptieJ@reddit
"whats this candle with the sizzling wick?"
Baerentoeter@reddit
This is kind of cool. Like, extremely not cool but kind of cool.
povlhp@reddit
Sure you are not hacked ? This is way too bad to be allowed. Surprised an audit did not show this before always audit domain admin and enterprise admin groups at least once per year.
chaotiq@reddit
When everything has privilege access then there is no privilege access
cspotme2@reddit
Time to see what other dumb mistakes this person made. Fireable offense, yes.
Ppl make mistakes but this isn't something like "oh I forgot to double check the backups for that day."
lost_in_life_34@reddit
easiest fix for any problem is to add everyone to domain admins
on SQL we add everyone to sysadmin or db owner
if everyone was in domain admins then half your tickets will go away
cspotme2@reddit
Their guy must have read your post
ddadopt@reddit
And the other half would go away when the malware took out the Jira server...
Overlations@reddit
Attacker wouldnt even need local admin rights to exploit this if you have AD defaults on (each account can add up to 10 computers), they could add their own computer and then go for domain admin.
Surprised pentester hasnt demonstrated this (maybe time pressure or scope restriction), but demonstrating shell on DC usually removes all doubts
Overlations@reddit
You are one WIN+R CTRL+V from finding out how bad is it!
swissthoemu@reddit
But.. But..
Why?
mirrax@reddit
It'd sure solve computers pulling GPOs from a network share...
Weird_Definition_785@reddit
that's about a 10/10 on the badness scale
datOEsigmagrindlife@reddit
This cannot be a serious question.
I did red team tests for a couple of years and I saw some pretty badly managed AD domains.
But nothing THIS bad.
I'm sure OP is trolling, either that or they were compromised and the attacker did this and they have no controls in place to detect it.
ButtSnacks_@reddit (OP)
I wish I was trolling. The reality is that this situation is happening and I thought I was going crazy in that no one else seems to be acting like the building is on fire, which it clearly is.
Smoking-Posing@reddit
Fake, but still weird as hell.
patmorgan235@reddit
Extremely.
That means that every computer account has the ability to rest passwords for all users, create objects on the domain, create and change GPOs, reconfigure Domain settings, change group memberships, etc. it also means that any user that is able to obtain local admin on any computer can do any of those things.
There is absolutely no reason for domain computers to be a member of domain admins.
NSA_Chatbot@reddit
If you're serious, this is the equivalent of not having any doors in your building. Not only can random people and threats wander in, you've also got an outrageous bug problem and maybe racoons.
teganking@reddit
yeah somebody better fix thatquickly before FIND OUT PHASE
Nick85er@reddit
Wow. No words.
DOOMD@reddit
So am I understanding the way it's setup is that any computer in the computer group has admin access? If so yeah, that's a big deal.
The way this is setup sounds super jank. I feel like Im missing or not understanding something but you have a windows ADMIN "group" (whatever they call them now) and in this group are NOT ONLY USERS but also entire systems?
Am I understanding this properly? Because if so the answer is yes it's a BIG security problem.
joshadm@reddit
If any ad computers were setup with the Pre-Windows 2000 compatibility checkbox checked then those passwords can be easily guessed and anyone can privesc to domain admin.
IIRC those computers are setup by default with password that is the device name, lower case, max 12 or 16 character.
Good_Ingenuity_5804@reddit
Everyone a domain admin. Absolutely terrible from a security standpoint.
_ryohei@reddit
im sorry but lol
maztron@reddit
Fire yourself.
nlfn@reddit
this is a perfect match for the default AD permissions that allow any authenticated user to add a machine to the domain.
Sea_Fault4770@reddit
That's pretty bad. No easy way to trace who did it, though. Especially if it has been years. Be glad you didn't have any attacks.
SillyPuttyGizmo@reddit
That they have noticed
Sea_Fault4770@reddit
Fair point.
dedjedi@reddit
I think we are looking at evidence of a successful attack.
Ssakaa@reddit
*that you know about
8o8_Ninja@reddit
Say what now?
sweetpicklelemonade@reddit
Excuse me?
satibagipula@reddit
Someone should be looking for a new career, not a new job…
onewithname@reddit
Well TBH you never know when you gonna need your domain joined printer/smart coffe maker/fridge to do some AD management. So this is just so forward thinking that whomever did this is practically LLM based AI...
p3aker@reddit
Brother get your three letters ready and save yourself sometime and make them all the same “I added domain computers security group to the domain admin security group, you’re fine”
AppIdentityGuy@reddit
My first question was how did you not notice this?
Step 1: Remove the group Srep2: Run a tool like Bloodhound or PingCastle to get comprehensive review of attack paths through your domain.
Additional-Sun-6083@reddit
Nothing to see here folks.
12401@reddit
This is very bad. You should remove this immediately and fix. The correct way is to make "Domain Users" a member of "Domain Admins". I thought everyone knew this...sheesh.
BrainWaveCC@reddit
Whoa... That's an intriguing one.
Only slightly less difficult to leverage than adding "Domain Users" to the "Domain Admins" group, but also harder to notice...
Dan30383@reddit
Whoever did that needs to find a new career because being a sysadmin is not for them!
robotbeatrally@reddit
Wow that's wild, Buttsnacks!
bradgnarr@reddit
Bruh
awetsasquatch@reddit
Bruh....you should be running through a disaster recovery plan right friggin now.
what_dat_ninja@reddit
I think catastrophe may be underselling it.
cats_are_the_devil@reddit
So, every computer on your domain was effectively an administrator to your entire org...
Yeah, that's kinda bad dude.
STCycos@reddit
wow...
mezzanine_enjoyer@reddit
audit if possible. how long has this been a thing? I would be running deep scans on all my devices immediately to start
SpaceGuy1968@reddit
Ugh yeh this is pretty big and bad
equinox6k@reddit
Holy...wow... this is disgusting.
titlrequired@reddit
Well it’s not good.
cjcox4@reddit
It's a cross "space" elevation risk. And Microsoft is still way too heavy in assuming "hashes" are "auth". Sounds like an easy exploit. Would think it would be easy for anyone to get Domain Admin.