3

Is it possible to have a previously domain connected client computer re-join a Windows domain after a clean re-install of the OS, to assume again it's old identity, all without the explicit say-so of the domain admin?

Does the answer vary depending on which authentication protocol is being used?

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Oskar Lindberg
  • 153
  • 1
  • 9

1 Answers1

3

No. Domain Admin certainly is not required, but elevated permissions will need to be delegated. The authentication protocol is not relevant.

More permissions are required to re-join a computer than to join a computer due to there are permissions required to modify the existing computer account object. There are two ways to do this: reset the computer account object, or delegate specific permissions to the objects/containers where the computers exist/will be joined/staged.

Additionally, the computer account dynamic dns record is usually orphaned during this process, so the security principal performing the join would also need permission to change the owner of the DNS A record.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thank you for taking the time to answer. Just a follow up: Without any permissions other than those of a local administrator's, re-joining the domain would not be possible? – Oskar Lindberg Feb 28 '16 at 14:03
  • No, unless the person performing the activity were the object owner. When a computer is joined to the domain, the owner may be the account that performed the join. In that case, they may be able to do it, but I would not rely on that. – Greg Askew Feb 28 '16 at 14:46
  • Thanks again. I'm somewhat surprised that whatever information is stored locally, and that is required for identifying the client to the domain, cannot be restored. I'll probably have to ask another question about that later. – Oskar Lindberg Feb 28 '16 at 15:02
  • There isn't anything stored locally if you reinstall Windows. Also, even if you disjoin the computer from the domain, rejoining would require, at a minimum, to reset the computer account in Active Directory Users and Computers. This is due to the share secret is new and always unique. – Greg Askew Feb 28 '16 at 16:02
  • Of course information wouldn't remain after a clean install. That's why I said "restored". I would have assumed any required data could be extracted before re-installation, and then restored again afterwards, shared secret or whatever. – Oskar Lindberg Feb 28 '16 at 16:15
  • You may want to re-phrase the question, which specifies a clean install. If the computer is restored from backup, and the computer had not changed it's password since the last backup, it should work. In that case, there would be no need to "re-join" the computer to the domain. – Greg Askew Feb 28 '16 at 16:33
  • I do mean a clean install and not a backup, just like i stated. I'm asking if it's possible to have a computer assume it's old identity again "without the domain knowing". The process could well involve restoring (or faking) pieces of information, but not the entire machine (e.g. it's another OS). I don't know what pieces we're talking about, I'm just asking if it could be done. – Oskar Lindberg Feb 28 '16 at 16:51
  • 1
    The "piece" is the LSA shared secret. It isn't possible without restoring system state from backup. – Greg Askew Feb 28 '16 at 17:00
  • According to the following article, the LSA shared secrets etc. can be decrypted and extracted. Wouldn't that help? https://blogs.technet.microsoft.com//2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry/ – Oskar Lindberg Feb 28 '16 at 17:11
  • 1
    I can't imagine how that would help anyone restore a computer account domain membership, particularly when there are far easier and simpler methods to achieve the same desired end result. – Greg Askew Feb 28 '16 at 17:44
  • I'm not asking if it's a practical solution, I'm asking if it can be done. According to [this answer](http://security.stackexchange.com/a/116175/58802), in theory, there's nothing preventing it. – Oskar Lindberg Mar 02 '16 at 16:03