Are there any Windows commands or privilege escalation techniques one might be able to employ in order to gain access to add a domain user?  In a mixed mode (Windows 2000 and 2003) environment, I've successfully gained access to many Windows 2000 servers thanks to some unpatched vulnerabilities and weak local administrator passwords.  However none of the 2000 hosts are DCs. 

My question is, with either the local admin account or even the "system" shell I gain through the exploits, is there a way for me to somehow access AD and add start making my way into the directory instead of simply winning access to the local machines?  Short of ARP poisoning or sniffing telnet sessions to network hardware devices and attemtping to guess/use those captured admin credentials in the domain, I'm curious if I can bridge the gap somehow between local admin and domain user (eventually domain admin)?  Obviously local creds and AD are two different repositories...but I feel I may be missing something in the Windows world.

Chris,

That was my goal...but I was thinking I'm missing something with the SAM and local logins vs. domain logins.  On several of the servers, dumping the passwords from the SAM only produces local users.  However, with those local creds, when I map drives and browse the C: drive, I notice that several profiles have been created for domain users, sometimes even the Admin ID for the domain.  But, no such credentials exist in the SAM. 

Also..this is a 2003/2000 mixed domain.