Locked Out of Client PC: Emergency Local Admin via RMM

LIMEHAWK - Managed IT

Emergency Local Admin — security

date	Nov 29, 2024
status	RESOLVED
endpoints	92

Security Incident

Client we'd been managing for three years. Their internal IT director quit - and on his way out, changed the domain admin password and the DSRM recovery password. Malicious insider scenario. Domain admin account locked out, couldn't log into DC, couldn't reset passwords through AD. But our RMM agent was installed on every workstation and server, running as SYSTEM.

Assessment

domain admin	password changed, locked out
DSRM password	also changed, can't boot DC to recovery
built-in admin	disabled per security policy
LAPS passwords	stored in AD (which we can't access)
RMM agent	installed on all 92 endpoints, SYSTEM

RMM agents run as SYSTEM - more privileged than any domain admin on local machine. Departing IT director could change every AD password, but couldn't touch our RMM agent.

Why We Couldn't Reset Domain Admin

DSRM password — changed by same departing employee

offline reset — requires booting from external media

DC RMM agent — can't reset domain admin via SYSTEM on DC

business impact — 85 people unable to work, payroll in 48h

We'd deal with DC recovery separately. Immediate need: get local admin on workstations so staff could work while we sorted out the domain mess.

Solution

Pushed script to all 92 endpoints via RMM simultaneously. SYSTEM privileges let us create new local admin accounts on every machine, bypassing compromised domain. Each machine got unique cryptographically random password stored in RMM secure fields.

Technical Details

RNGCryptoServiceProvider	cryptographically secure randomness
24-character password	70^24 combinations
idempotent design	exists? reset. doesn't? create.
JSON output	structured data, no plaintext logging

Every endpoint gets unique password. One machine compromised, attackers can't move laterally. Same principle as Microsoft LAPS, via RMM.

Outcome

local admin restored	3 minutes (all 92 endpoints)
domain recovered	6 hours (full AD access)
business impact	zero downtime, payroll on schedule

Within 3 minutes of call, all 92 machines had working local admin accounts. Staff could log in with domain credentials (cached), we could elevate to local admin for support issues. DC recovery took 6 hours via offline NTDS extraction.

RMM as SYSTEM is break-glass access when domain compromised

we now deploy this script during every client onboarding

unique passwords per machine = no lateral movement

insider threats can't disable what they don't control

Get Help

Need secure credential management? We implement local admin provisioning with unique passwords and automated rotation.