*I'm not in this for any malicious purposes. Simply testing priv esc on a pretty locked down system.*
I was wondering if there are any good ways to take this local admin account and make it a domain admin or take the local admin account and have my registered domain user (the 2001 that was added to the admin group, but not really [?]) And make that an admin account on the School domain. Also, what are the "SCHOOLS\855 Teachers" and the rest. Are those subgroups of the Administrator group? Would there be any way to take the normal domain account and have the priveleged local one move it in there?
I'm no hacker, just an admin, but I can give you some insight on this. Domain Administration accounts are controlled by the domain controller, and the security privileges you're seeing there are probably pushed down by GPO from the DC.
That being said the only way to obtain domain administration privileges is by changing the account on the DC from a user with local admin rights to a domain admin. There's no way to complete that from a workstation.
Ok, well from the local administrator account, local being that computer-specific account at SCHOOLS\Administrator is still locked, I was able to add my original user account to that administrator group, but when I went back onto that user account to check if it had stuck, it didn't. Are the groups and policies localized if you're not logging in through the network domain?
Oh another question. The names listed under administrator, such as SCHOOLS\855 Teacher, have a different icon than the single user I added (200179481). Are those actual groups that are joinable? What is with the difference in icon?
If I were you, I would spend some time footprinting the network. That process involves as collecting as much information as possible about the network, and then analyzing that information and creating a map of the network.
You're looking at a workstation that's in an Active Directory domain that's being managed by a Domain Controller, so the question you should be asking is "How can I escalate my privileges in a Windows Domain?" The most straightforward path is getting access to the domain controller, somehow. Before you can really begin that process, you need to understand Active Directory, and how the hierarchical structure of AD works. Of course privilege escalation is usually a means to an end, and if you want to get to the end quicker, you may check out metasploit to see if you can simply bypass the process of attaining admin on your Windows box completely using an unpatched vulnerability to achieve your goal, perhaps through a penetration testing friendly OS like Kali.
Any local user is just that, a local user. If the user isn't created on the Domain Controller itself it has no rights to access to any resources on the domain.