The concept is simple: reset the local admin account. Resetting the admin account password is not that difficult. Using a bootable linux CD to start the computer, and overwrite the password file can done the job. However, this will leaves a discover problem, as the real administrator will knows this when they do actual maintenance.
A more clever way is to copy the password file in advance, reset the password to gain access and copy back the backed up password file. This will do the track with less likely to be discovered.
An advanced level is to get the password, instead of copy the password file.
There are two interesting files in any Windows system. They are:
- WINDOWS\system32\config\system and
- WINDOWS\system32\config\sam
Because in most cases, local admin password of all workstations are the same due to disk cloning technique for fast deployment in a corporate environment. This means once you distribute a notebook to a user, the user will have the local admin password for all workstations in the environment. If your administrator is so careless to have the domain admin password the same as the local admin password, you are now controlling your whole network of Windows computer.