Kay
Hello geoholz,
using a domain admin account is not possible without modifying SuRun.
The SuRun service runs with "local system" credentials. Usually domain controllers don't trust local systems and deny adding domain users to the domain admins group.
When creating SuRun I thought that there's to much attack surface to safely use a domain admin account.
To use a domain admin account SuRun would have to:
-locally store domain admin credentials (insecure)
-logon the domain admin to get a token from the domain controller (the token could be sniffed)
-impersonate as the domain admin
-put the domain user into the domain admins group
-logon the user as domain admin to get another admin token (that could be sniffed)
-remove the user from the domain admin group (in the time, the last three steps would take, the user could logon as domain admin; also if one would cut the server connection, the user would become domain admin forever)
Cheers,
Kay