1) The first issue is getting in as local admin. In my company the boot order was HD first, but this took 1 minute to bypass by removing the relevant jumper. Next, ophcrack will give you the local admin password, but it does cost some 999$ if this involves non-alphanumeric values. There are other tools to replace the local admin password with your own, basically think of a password, run it through MD5 to produce a hash, then use a LiveCD to replace the relevant SAM hash by your own.
So, first step is the easy one.
2) Next, you need gsecdump. Well, any antivirus I know kills it as soon as it is seen by Windows. So what do you do? You write it on a read-only media like a CD. Still, I get an 'access denied' message from the AV. So you need to kill AV. Two ways I can think of: Erase the relevant folder via a LiveCD or boot in SafeMode and erase the relevant executables in that folder. I was unable to disable AV otherwise. Next, you need to trick a domain admin into doing a remote access, perhaps asking for help with your printer or something. Assuming this access does take place and the domain admin does not reboot the machine, but logs off, then under Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Security Options->Interactive Logon: Number of Previous logons to cache(in case domain controller....)
you see that the system keeps the last N logons. If N=0, then only the last credentials are kept, i.e. your own, when you log on after the domain admin has logged off. So this attack is not that simple and it looks like it can be prevented with the right configuration, unless I miss something.
I should add that there is another tool, mimikatz
http://www.oxid.netsons.org/phpBB3/view ... f=8&t=3655
which also gets hashes, not sure if from disk or cache, not detected by the AV and I am not sure if this can be used to get the domain admin hashes.