active-directorywindowswindows-domain
Let's say for argument's sake I wish to change the SID of a Windows local user account to one that appears on some hypothetical Active Directory domain. Is that possible? If so, how?
P.S. I don't actually need to know how… all I care about is that it is demonstrably possible and that theoretically some malicious user on the network could do this… and how much skill they would need to do so.
The way you've accomplished this is perfectly acceptable, and allows that one user to have Administrator privileges over that one PC. I use the same procedure to allow trusted users to toy with their machines, while stopping them messing up anyone elses.
You can then delete the local accounts to avoid duplication or confusion.
It's not so much that your user is tied to AD, it's that your PC is tied to AD and it's looking to authenticate you.
Anyway, have them undo whatever they did in AD, there's no reason for it and it's just going to cause issues. Just create a local user in Control Panel > Administrative Tools > Computer Management then click "Local Users and Groups" Add a new "local" account to the computer. You're not going to be able to keep your profile from the domain account, you'll have to copy over any files you may need.
You may also want to add this new user to the Administrators group or Power Users on the group tab. you'll have to use the PCNAME\USERNAME convention or search for it in the group dialog box.
Just so you know, your outlook won't work correctly and any access to network shares will have to be authenticated with your AD user - you should get a pop-up when you try to connect.
Honestly, the solution to this issue is to get the IT department some training. There is no reason that you can't have per-user restrictions relaxed in group policy. If I didn't know any better, I'd say you were looking for a way to skirt the AD authentication and security because any IT department worth their salt would have either told you no or fixed the policy to relax the restrictions. /2cents
Best Answer
It's technically possible to do so, by editing the SAM database (under
HKEY_LOCAL_MACHINE\Securityin the Registry), but it requires understanding of the binary formats used there. There exist tools that do this, such as NewSid – although it usually did the opposite of what you're looking for, but nevertheless it was able to change the machine SID and user SIDs, computer-wide. The NewSid webpage has some information on how this is done.However, it won't achieve much. The SID is only used locally. It does not matter what SID you have; it will not give you access to any additional network resources. (This is similar to the arguments given by SysInternals when they discontinued the NewSid utility – it would create a fresh machine SID if you had cloned machines with identical SIDs, but it was explained that having identical machine SIDs, and therefore identical user SIDs, has zero effect on network security.)
For network authentication, Active Directory uses Kerberos and sometimes the (now-deprecated) NTLM, both of which authenticate users using their password or similar credentials.