UK Sixth-Form Student Finds School's Active Directory Wide Open with Plaintext Admin Passwords
A 17-year-old UK student discovered his school's Active Directory domain controller tools were accessible without authentication, with the domain admin password stored in plaintext in a description field.
A 17-year-old UK sixth-form student, identified only as Nathan, discovered that his school's entire network was effectively an open book. While connecting his laptop to the school's Active Directory domain, Nathan found that no admin authentication was required to view domain controller tools, policy maps, and other sensitive configurations. Browsing the directory, he located the domain administrator account with the password "horse fence ditch" written plainly in the description field, alongside backup account passwords like "bd" and "bigbaddog."
With full domain admin privileges, Nathan could access student and staff data, gain Remote Desktop access to any server or domain controller, and even control LanSchool, a popular classroom management application. "I could've accessed sensitive leadership docs, reset passwords, deleted accounts, wiped the whole network, etc," Nathan told The Register. The entire system was synced with Google Workspace, giving him access to user mailboxes, firewall settings, security policies, and keystroke histories.
Remarkably, Nathan chose not to exploit any of these privileges. He kept his head down and graduated without incident, but also without reporting the vulnerabilities to school administrators. The security holes may still exist today, as there is no indication they were ever addressed. The incident highlights a dangerous combination of misconfigurations: Active Directory domain controller tools exposed without authentication, plaintext passwords stored in directory description fields, and a single set of admin credentials controlling both on-premises systems and cloud services.
The case serves as a stark reminder of fundamental security hygiene failures. Storing passwords in Active Directory description fields is a well-known bad practice, yet it persists in organizations of all sizes. The lack of network segmentation and the absence of multi-factor authentication for administrative accounts compounded the risk. Nathan's restraint as a teenager is commendable, but the incident underscores how easily a malicious actor—or even a curious student—could have caused catastrophic damage.
This story also echoes a broader pattern of educational institutions struggling with cybersecurity. Schools often operate with limited IT budgets and expertise, making them attractive targets for ransomware gangs and data thieves. The UK's education sector has seen numerous breaches in recent years, from ransomware attacks on universities to data leaks at primary schools. The exposure of student and staff data, combined with access to Google Workspace mailboxes and classroom management software, could have led to identity theft, financial fraud, or even physical safety risks.
For IT administrators, the lesson is clear: never store passwords in plaintext, restrict access to domain controller tools, and enforce least-privilege principles. Regular security audits and penetration testing—even by ethical students—could uncover such vulnerabilities before they are exploited. Nathan's story, shared with The Register's PWNED column, is a cautionary tale of how a single misconfiguration can compromise an entire organization's security posture.