I have recently found a really easy way to get Admin rights on an NT
so easy I'm surprised it wasn't discovered earlier.
Here we go:
A plain old user has write access to the winnt\system32 directory.
He renames logon.scr to logon.old.
He then renames usrmgr.exe (or musrmgr.exe on Workstations) to logon.scr.
He then shuts down the computer using the "close all programs and log on as
different user" option.
He then waits.....
The system will start logon.scr if left long enough.
User Manager will load......
The user then selects his domain. (You have to type the domain name in)
He then adds himself to the Administrators group.
He then exits and logs back on.
Some of you may be thinking that as soon as you move the mouse the "screen
saver" should disappear but because you can only get rid of logon.scr with
a ctrl+alt+del you can then use the mouse 'til your heart's content.
To solve this :
Ensure that a plain old user only has "read" rights to the winnt\system32
Also make sure that the registry has the correct permissions assigned so
the user can specify a different location etc for logon.scr.