Select Page

Remote local administrator & LocalAccountTokenFilterPolicy

Remote local administrator & LocalAccountTokenFilterPolicy

This post is addressing the ability to invoke remote commands using the context of a remote local administrator, and disabling the LocalAccountTokenFilterPolicy filter.

Remote local administrator

There are times when you have couple of servers or machines that are not member of you domain. They are stand alone machines, and they exist for couple of reasons. Nowadays, with all security concerns and attacks, many application architectures contain standalone not domain joined roles. Take Microsoft Lync for example, they have a separate Edge role to handle media from external clients and for security reasons, this role is meant to be a standalone deployment and never joined to the internal domain. There are many other examples.

If you are going to invoke a remote PowerShell session to one of those stand alone machines, you need to do so with a security context, and most of the time, with the privileges of the local administrator on the remote machine.

Say you want to connect to a stand alone machine, and get some WMI data using PowerShell.  How a script running on my script server that is member of contoso domain, and running under contoso\user1 credentials, will be able to connect to that remote standalone server and get WMI data for example.

Remote local administrator LocalAccountTokenFilterPolicy

LocalAccountTokenFilterPolicy

LocalAccountTokenFilterPolicy is the secret that makes this possible, and I will show you how this can be done:

  • Go to the stand alone computer, create a local user called User1 with the same password as Contoso\User1 (which is the account im using to run scripts on the domain joined script server). Add User1 to the local administrators group on that stand alone machine. You will end up with a domain user called contoso\User1 that will be used to run the PowerShell script from the joined machine, and a local user User1 on the stand alone machine, that is member of the local administrators group.
  • Now, make sure the password for both users are the same.
  • On the standalone server, I have to disablee something called (LocalAccountTokenFilterPolicy) to do the trick. This is saying that, if I receive a connection with a user name and password that matches a local user account on my local credential store, I will consider it valid transaction. To disable such LocalAccountTokenFilterPolicy, browse the following registry key, create it if not existing, and put the value = 1.

Remote local administrator LocalAccountTokenFilterPolicy

Accessing Remote local administrator account in this way is somehow risky. If you are going to play with LocalAccountTokenFilterPolicy, then make sure you understand the consequences. The risk is that someone can connect remotely to the machine, and associate himself to the context of the remote local administrator on that standalone machine, and do nasty things.

Read more about this registry key here

 

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger.
He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing.

His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional.

Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Trackbacks/Pingbacks

  1. Exchange Dashboard Organization – “Email Report” PowerShell Script | Ammar Hasayen - Blog - […] - If you have an Exchange Edge Servers and want to the script to access it, see this link.…
  2. The most amazing “Exchange 2010 Dashboard Report” Script Monitor | Ammar Hasayen - Blog - […] - If you have an Exchange Edge Servers and want to the script to access it, see this link. […]

Leave a reply

Your email address will not be published. Required fields are marked *

Ammar_Hasayen_MVP_1

About Ammar

Digital Transformation | Microsoft MVP | Cloud Architect | Azure | Microsoft 365 |Modern Workplace | Cyber-Security | Blockchain | Speaker | Blogger | IT Director @ Aramex| Jordan | http://me.ahasayen.com

Recent Posts

Pin It on Pinterest