Become domain admin by controlling an OU in Active Directory?

Question

Some tools that draw links between objects in a Active Directory architecture, show that if we have an user who is administrator of an OU on which a domain administrator is also present, so he can take control of the domain.

Is that true?

How is it possible if so?

James · Accepted Answer · 2016-08-05T16:06:24.060

1

Should be straightforward enough;

As OU administrator, reset the domain administrator's password (as he is in your OU)
Now you can log in as the domain administrator (you know the password now)
Configure your account to be a domain administrator (as you're currently authenticated as a domain admin).

edited Aug 05 '16 at 16:06

answered Aug 05 '16 at 16:00

James

161
3

Become domain admin by controlling an OU in Active Directory?

1 Answers1