"I could've accessed sensitive leadership docs, reset passwords, deleted accounts, wiped the whole network, etc," Nathan told The Register.
Active Directory left wide open: what a 17‑year‑old found
A student identified in the reporting as Nathan, aged 17 and attending sixth form at a UK school, discovered extensive administrative access simply by connecting his laptop to the school's Active Directory (AD) domain. According to the account, there was no administrator authentication required; Nathan was able to view domain controller tools in view mode, examine policy maps and browse the directory. He located the domain administrator account and found the password written in the account's description field as the phrase "horse fence ditch." Backup accounts carried passwords such as "bd" and "bigbaddog."
From view mode to "God mode": lateral control, classroom tools, and telemetry
Once Nathan reported achieving full administrative privileges — described in the account as "God mode" — he said he could see student and staff data, gain Remote Desktop access to any server or domain controller, and access LanSchool, the classroom management application named in the report. The system was also synced with Google Workspace, which Nathan said gave him access to user mailboxes. He reported finding firewall settings, security policies he could change, and keystroke histories.
Cleartext passwords and basic hygiene: lessons the school already heard
The original writeup draws two explicit, practical lessons from the episode. First, do not store passwords in Active Directory description fields — and more generally, do not store passwords in cleartext "anywhere without serious controls." Second, the school should not have made AD domain controller tools visible to a student on the network. The report also notes it might have helped if Google Workspace used different admin credentials from the on‑premises AD environment.
What Nathan did — and did not — do, and the risk that remains
By his own account, Nathan exercised restraint: because he was a student and did not want to get into trouble, he did not use the privileges he found. He kept his head down, graduated without incident, and did not report the vulnerabilities — which the piece notes "might still be in place today for all we know." The writeup asks readers to imagine the ease with which grades could have been changed, computers taken over, data deleted or a network wiped, citing those as the kinds of actions Nathan said were technically possible.
What this means for school IT teams, students and vendors
- School IT teams and administrators: The account underscores the need to audit AD exposure, remove any cleartext passwords from description fields, lock down view and management rights for domain controller tools, and separate Google Workspace admin credentials from on‑premises AD where possible — all actions the original report explicitly recommends.
- Students and parents: The story highlights concrete privacy risks students and staff may not expect — including access to mailboxes, keystroke logs and classroom management tools such as LanSchool — and the potential for those risks to persist if not reported and remediated.
- Vendors and service owners (LanSchool, Google Workspace admins): The episode points to the operational importance of credential separation and least‑privilege configurations where cloud syncs or third‑party classroom tools are involved, a specific concern raised by the original writeup.
The episode is a narrow but sharp illustration of how elementary misconfigurations — a readable password in a description field, excessive visibility into domain controller tools, linked admin credentials across services — can combine into a full administrative takeover. The original account closes on the unresolved practical question the facts leave on the table: the student did not report the issues, and the vulnerabilities "might still be in place today for all we know."
Read the original report: https://www.theregister.com/security/2026/06/25/uk-schools-network-left-wide-open-for-invasion-student-found/5261567
