Creating a hidden administrator

Archived from groups: microsoft.public.win2000.security (More info?)

I need to create a user object in active directory with complete
administrator rights and then hide that object from everyone (including
Administrator) with the exception of the owner of the company. I haven't
found a method for doing this. Any suggestions? Thanks
2 answers Last reply
More about creating hidden administrator
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I don't believe that is possible. You can change permissions on any AD
    object such as a user and a user needs read permissions to see an object via
    Active Directory but I believe that once every sixty minutes or so the
    permissions would be refreshed to add the administrators group back with
    default permissions. Besides there are other many other ways to enumerate
    groups such as the [ net group "domain admins" ]. Bottom line is that
    administrators must be trusted. There are ways such as file encryption that
    can be used to deny even administrators access to a users data if done
    correctly. Also it may make sense in certain cases to use physically secured
    workgroup computers that are not a member of the domain if a user needs to
    be isolated from domain admins. A non domain computer may still access
    domain resources if needed as long as the user knows credentials to an
    account in the domain and the resource computer does not have an ipsec
    require policy assigned to it using kerberos as the computer authentication
    method. --- Steve


    "davidwr" <davidwr@discussions.microsoft.com> wrote in message
    news:86AF4118-9D86-4B34-8CDD-B2A6A77F977B@microsoft.com...
    >I need to create a user object in active directory with complete
    > administrator rights and then hide that object from everyone (including
    > Administrator) with the exception of the owner of the company. I haven't
    > found a method for doing this. Any suggestions? Thanks
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Dear David,

    technically it seems possible because i have chinese rootkit in my
    collection of hacker tools (for security demonstrations in a virtual machine)
    that is able to
    hide itself from anything (filesystem, registry, Servicelist) just like the
    hackerdefender rootkit.
    In addition it is able to create a hidden user that can be made member of
    the administrator group.

    Of course you won´t be willing to use a rootkit from an untrusted source to
    achieve your goal.

    This security website (http://www.security.org.sg/code/index.html) gives
    you a detailed insight to these hiding techniques work

    As i said, there are ways to hide things like files, services , registry
    entries and users by using special programming techniques to create some
    services to intercept each request.

    hope this helped a bit

    Samir

    "Steven L Umbach" wrote:

    > I don't believe that is possible. You can change permissions on any AD
    > object such as a user and a user needs read permissions to see an object via
    > Active Directory but I believe that once every sixty minutes or so the
    > permissions would be refreshed to add the administrators group back with
    > default permissions. Besides there are other many other ways to enumerate
    > groups such as the [ net group "domain admins" ]. Bottom line is that
    > administrators must be trusted. There are ways such as file encryption that
    > can be used to deny even administrators access to a users data if done
    > correctly. Also it may make sense in certain cases to use physically secured
    > workgroup computers that are not a member of the domain if a user needs to
    > be isolated from domain admins. A non domain computer may still access
    > domain resources if needed as long as the user knows credentials to an
    > account in the domain and the resource computer does not have an ipsec
    > require policy assigned to it using kerberos as the computer authentication
    > method. --- Steve
    >
    >
    > "davidwr" <davidwr@discussions.microsoft.com> wrote in message
    > news:86AF4118-9D86-4B34-8CDD-B2A6A77F977B@microsoft.com...
    > >I need to create a user object in active directory with complete
    > > administrator rights and then hide that object from everyone (including
    > > Administrator) with the exception of the owner of the company. I haven't
    > > found a method for doing this. Any suggestions? Thanks
    >
    >
    >
Ask a new question

Read More

Security Microsoft Active Directory Windows