What Local Admin Privilege Really Mean

This is a small post to explain common misunderstandings regarding local administrators rights that I encounter so often that I find I need somewhere to point for an explanation.

So what you can do with local admin rights is almost everything specifically:

  • You can modify almost any file, except those with (very) special security set
    • But you do have the right to change that security
  • Similarly you can modify almost all parts of the registry
    • And grant yourself access to remaining parts
  • But you are not exempt from Group Policies set by the domain administrators for either the computer or your account. You may find that you cannot
    • Use the command line (but perhaps bat files?)
    • Not start registry editor (but the command line REG command works)
    • Not start any MMC snapin’s (sometimes it’s only authoring that is disabled)
    • Type addresses in the windows explorer bar
    • Etc..

    When in doubt you can run “GPResults.exe” (part of win xp) to get the list of policies applied.

    What can you do about it? You can remove the computer from the domain but that’s likely not an option. You do not have the option of removing the GPO’s but you probably have (or is able to grant) sufficient access to the registry to disable them temporarily. Each one will need to be disabled in different manners, e.g. to enable command prompt again run “REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f”. Needless to say it is very awkward and time consuming – your changes will be overwritten by next GPO update – so you probably have to live with this.

  • If your server host MOSS/WSS you can do pretty much everything as long as you are sure you are browsing that server. Known by most people this is a very useful little “backdoor” (by design) security feature

And there are so many details better left out here…