Semachineaccountprivilege Hacktricks __full__ Jun 2026

Machine accounts are not just devices connected to the network; they are also identities within the Active Directory. Being able to manipulate these can facilitate lateral movement, persistence, and even elevation of privileges within a compromised domain. For instance, an attacker with the Semi-Machine Account Privilege can:

If you created a machine account, you can set a SPN (Service Principal Name) on it (by default, machine accounts have SPNs). You can then request a TGS for that SPN and crack the password offline.

Change the default machine account quota from 10 to 0 for regular users. Only specific administrative accounts should have the ability to add machines. semachineaccountprivilege hacktricks

Abusing this privilege is a foundational step for several high-impact attacks described in HackTricks' Active Directory methodology :

: Using tools like addcomputer.py (from Impacket) or Powermad, the attacker creates a new machine account (e.g., ATTACKER-PC$ ). This is possible because of the SeMachineAccountPrivilege . Machine accounts are not just devices connected to

According to documentation and security research found on HackTricks, this privilege is assigned by default to the "Authenticated Users" group, granting almost any domain user the ability to create up to 10 machine accounts. What is SeMachineAccountPrivilege?

BloodHound will show you if that user can create a computer account and then use it to attack another computer. You can then request a TGS for that

Log Event ID 4741 (A computer account was created). Frequent or unexpected machine account creations by standard users are a high-fidelity indicator of compromise.

If an attacker has "GenericWrite" or "WriteProperty" over a target computer object (e.g., a file server or even a Domain Controller in specific scenarios), they can use a machine account they created to impersonate any user to that target. 2. The Execution