Last week i got Domain Admin on an internal pentest in less than 5 minutes.
Besides the fact that storing passwords in description fields in Active Directory is a bad practice anyway, the amount of admins not aware of the fact that every user can read those descriptions is still astonishing for me
rundll32 dsquery.dll,OpenQueryWindow
Thats what i always like to do first 😊 works everywhere and allows for a quick manual lookup of AD objects
JaapEngel79