This topic contains 1 reply, has 2 voices, and was last updated by debate_instigator 1 month ago.
- July 8, 2020 at 7:00 pm #280137
This is a very special case – if this is outside the scope of this subreddit, let me know, but the moderators over at r/technicalsupport did not appreciate the intellectual challenge!
Long story short, I have inherited a Windows 7 Enterprise machine which seems to have, at one time, been administrated by an IT group at a large company. The previous owner gave it to me, the previous company no longer exists and it is not owned by any other entity. However, an overzealous IT manager seems to have removed all local user permissions except those allowed by the domain controller.
No PowerShell, no local group login credentials.
Now, it is my mission to repurpose this machine without expense. Details as follows:
Activated default Administrator account via cmd (by way of repair options).
net user Administrator reveals the following “Global Group memberships: *none”
Added Administrator to both localgroup Users and Administrators
Added testuser2 to localgroup Users
Both without password and with password, Administrator account nor testuser2 account cannot log into the machine (by “[LocalName]Administrator” or .Administrator). “Username or password is incorrect.” Bogus.
I have enabled a Guest user similarly, with no luck. At some point, “net localgroup workstation” was disabled, so I started it. Don’t remember when.
Oddly, I cannot get any PowerShell commands to run (can’t find path, not a known command, etc), even trying to point to possible paths “%SYSTEMROOT%System32Powershell…” or substituting Sysnative or SysWOW64 in place of System32.
I can’t use sysinternals tools because “service attached to this system is not functioning”. Assuming a connectivity issue, I find that netsh ‘is not
recognized as an internal or external command, …’ (note: I have not tried to hardwire into my modem yet)
I have tried iseepassword but when it boots from media it does not even see a Windows or user ID to select.
Obviously I’ve tried more than this, but these seem to be the most relevant details. I would really like to beat this stupid machine, but it seems more and more like they’ve somehow stripped all local permissions and I can’t find a way to log into any account that isn’t explicitly tied to the original domain.
What do y’all think? Just how “locked down” could an old IT professional get a domain connected machine? Can the registry be sufficiently altered such that, without domain login credentials the only possible way to use the machine is a fresh OS install? Any guidance is greatly appreciated!
- July 8, 2020 at 7:00 pm #280138
i have pulled of some exploits in the past where i changed the CAs on a device so i can send in new policies to the device, maybe something along these lines could work. I’ve only tried the attack on Chrome OS though.
- July 8, 2020 at 7:00 pm #280139
Use hirens boot cd. Boot into it, select Windows Offline password changer, use the option to set the admin password, use the option to unlock the account (just in case), use the option to promote that user, then save back the changes.
Reboot and you should be in.
Also note that if the machine was not properly unjoined from the previous domain, you’ll need to input ‘.administrator’ (without the quotes) for the username.
Also, some sys admins like to rename the local administrator. Keep an eye out for that when you’re running hirens.
- July 8, 2020 at 7:00 pm #280140
what is your ultimate target here? do you want to login into the actual windows or do you want to see the hard drive or do you just want to figure out what they exactly did to that machine to lock it up so tightly?
You must be logged in to reply to this topic.