cd ../learnings
$ cat ad-basics.md

AD basics

> August 29, 2025 | Active Directory

👉 What is AD ?

-> Active Directory (AD) is a centralized directory service developed by Microsoft. It manages and authenticates users, computers, groups, and other resources in a Windows network domain.

  • A centralized identity management system for Windows.
  • Manages users, computers, groups, policies in an enterprise.

👉Active Directory Structure

Active Directory flaws and misconfigurations can often be used to obtain a foothold (internal access), move laterally and vertically within a network, and gain unauthorized access to protected resources such as databases, file shares, source code, and more

Domain Computers Domain Users
Domain Group Information Organizational Units (OUs)
Default Domain Policy Functional Domain Levels
Password Policy Group Policy Objects (GPOs)
Domain Trusts Access Control Lists (ACLs)

Key Components

Term Meaning
Domain Logical group of AD objects (e.g. redteam.local)
Domain Controller (DC) The brain of the domain. Hosts AD DS.
Forest Collection of domains (can be 1 or more)
OU (Organizational Unit) Container to organize users/computers
GPO (Group Policy Object) Rules applied to users/computers
FSMO Roles 5 special roles in AD (we’ll go deep later)

Protocols in AD

Protocol Use
LDAP/LDAPS Directory lookup
Kerberos Authentication
SMB File sharing
DNS Name resolution
RPC Remote procedure calls (used in many attacks!)

Example AD Structure

INLANEFREIGHT.LOCAL/
├── ADMIN.INLANEFREIGHT.LOCAL
│   ├── GPOs
│   └── OU
│       └── EMPLOYEES
│           ├── COMPUTERS
│           │   └── FILE01
│           ├── GROUPS
│           │   └── HQ Staff
│           └── USERS
│               └── barbara.jones
├── CORP.INLANEFREIGHT.LOCAL
└── DEV.INLANEFREIGHT.LOCAL

👉 Active Directory Terminology

Term Short explanation
Object ANY resource present within an AD
Attributes pieces of information about an object.
Schema blueprint of any enterprise env
Domain logical group of objects
Forest collection of domains
Tree A tree is a single domain with its own hierarchy of objects. corp.local
sales.corp.local
Container holds objects in AD, like a folder
Leaf end of branch
Global Catalog domain controller that stores copies of ALL objects in AD forest
Replication keeps all the domain controllers updated
Service Principal Name (SPN) uniquely identifies a service instance and used by Kerberos authentication
Group Policy Object (GPO) set of rules and settings that an admin can apply to AD
Access Control List (ACL) applying permissions to users and services
Access Control Entries (ACEs) rules
Fully Qualified Domain Name (FQDN) complete name for a specific computer or hos
Tombstone act as a recovery bin
SYSVOL is like the shared folder of important AD scripts and policies
NTDS.DIT Heart of AD - C:\Windows\NTDS\

👉 Active Directory Objects

▶️ Users

  • considered leaf objects
  • has SID and GUID

    ▶️ Contacts

  • used to represent an external user
  • Don’t have SID and GUID

    ▶️ Printers

  • A printer object points to a printer accessible within the AD network

    ▶️ Computers

  • any computer joined to the AD just like Users

    ▶️ Shared Folders

  •  a shared folder on the specific computer where the folder resides.

    ▶️ Groups

  •  considered a container object because it contains other objects

    ▶️ Organizational Units (OUs)

  • is a container that systems administrators can use to store similar objects for ease of administration.
  •  often used for administrative delegation of tasks without granting a user account full administrative rights.

    ▶️ Domain

  •  domain is the structure of an AD network.
  • Domains contain objects such as users and computers & others

    ▶️ Domain Controllers

  • brains of an AD
  • handle authentication requests, verify users and control who can access various resources

    ▶️ Sites

  •  set of computers across one or more subnets connected using high-speed links.

    ▶️ Built-in

  • it is a container that holds default groups in an AD domain

    ▶️ Foreign Security Principals

  •  foreign security principal (FSP) is an object created in AD to represent a security principal that belongs to a trusted external forest.

👉AD Functionality

Roles Description
Schema Master This role manages the read/write copy of the AD schema, which defines all attributes that can apply to an object in AD.
Domain Naming Master Manages domain names and ensures that two domains of the same name are not created in the same forest.
Relative ID (RID) Master The RID Master assigns blocks of RIDs to other DCs within the domain that can be used for new objects. The RID Master helps ensure that multiple objects are not assigned the same SID. Domain object SIDs are the domain SID combined with the RID number assigned to the object to make the unique SID.
PDC Emulator The host with this role would be the authoritative DC in the domain and respond to authentication requests, password changes, and manage Group Policy Objects (GPOs). The PDC Emulator also maintains time within the domain.
Infrastructure Master This role translates GUIDs, SIDs, and DNs between domains. This role is used in organizations with multiple domains in a single forest. The Infrastructure Master helps them to communicate. If this role is not functioning properly, Access Control Lists (ACLs) will show SIDs instead of fully resolved names.

✌️Trusts

-> A trust is used to establish forest-forest or domain-domain authentication, allowing users to access resources

Trust Type Description
Parent-child Domains within the same forest. The child domain has a two-way transitive trust with the parent domain.
Cross-link a trust between child domains to speed up authentication.
External A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering.
Tree-root a two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.
Forest a transitive trust between two forest root domains.

👉 AD Protocols

👉👉 Kerberos, DNS, LDAP, MSRPC

▶️ Kerberos

 -> default authentication protocol for domain accounts since Windows 2000  ->  Kerberos is a stateless authentication protocol based on tickets instead of transmitting user passwords over the network.

🛡️ Kerberos Authentication Process

  1. When a user logs in, their password is used to encrypt a timestamp, which is sent to the Key Distribution Center (KDC) to verify the integrity of the authentication by decrypting it. The KDC then issues a Ticket-Granting Ticket (TGT), encrypting it with the secret key of the krbtgt account. This TGT is used to request service tickets for accessing network resources, allowing authentication without repeatedly transmitting the user’s credentials. This process decouples the user’s credentials from requests to resources.

  2. The KDC service on the DC checks the authentication service request (AS-REQ), verifies the user information, a nd creates a Ticket Granting Ticket (TGT), which is delivered to the user.

  3. The user presents the TGT to the DC, requesting a Ticket Granting Service (TGS) ticket for a specific service. This is the TGS-REQ. If the TGT is successfully validated, its data is copied to create a TGS ticket.

  4. The TGS is encrypted with the NTLM password hash of the service or computer account in whose context the service instance is running and is delivered to the user in the TGS_REP.

  5. The user presents the TGS to the service, and if it is valid, the user is permitted to connect to the resource (AP_REQ)

-> Kerberos uses port 88

▶️ DNS

–> DNS is used to resolve hostnames to IP addresses and is broadly used across internal networks and the internet. Private internal networks use Active Directory DNS namespaces to facilitate communications between servers, clients, and peers. AD maintains a database of services running on the network in the form of service records (SRV). These service records allow clients in an AD environment to locate services that they need, such as a file server, printer, or Domain Controller.

▶️ LDAP (Lightweight Directory Access Protocol)

–> LDAP is an open-source and cross-platform protocol used for authentication against various directory services -> LDAP uses port 389, and LDAP over SSL (LDAPS) communicates over port 636.

🛡️ AD LDAP Authentication

LDAP is set up to authenticate credentials against AD using a “BIND” operation to set the authentication state for an LDAP session. There are two types of LDAP authentication.

  1. Simple Authentication: This includes anonymous authentication, unauthenticated authentication, and username/password authentication. Simple authentication means that a username and password create a BIND request to authenticate to the LDAP server.

  2. SASL Authentication: The Simple Authentication and Security Layer (SASL) framework uses other authentication services, such as Kerberos, to bind to the LDAP server and then uses this authentication service (Kerberos in this example) to authenticate to LDAP. The LDAP server uses the LDAP protocol to send an LDAP message to the authorization service, which initiates a series of challenge/response messages resulting in either successful or unsuccessful authentication. SASL can provide additional security due to the separation of authentication methods from application protocols.

▶️ MSRPC

Windows systems use MSRPC (MS Remote Procedure Call) to access systems in Active Directory using four key RPC interfaces.

Interface Name Description
lsarpc A set of RPC calls to the Local Security Authority (LSA) system which manages the local security policy on a computer, controls the audit policy, and provides interactive authentication services. LSARPC is used to perform management on domain security policies.
netlogon Netlogon is a Windows process used to authenticate users and other services in the domain environment. It is a service that continuously runs in the background.
samr Remote SAM (samr) provides management functionality for the domain account database, storing information about users and groups. IT administrators use the protocol to manage users, groups, and computers by enabling admins to create, read, update, and delete information about security principles. Attackers (and pentesters) can use the samr protocol to perform reconnaissance about the internal domain using tools such as BloodHound to visually map out the AD network and create “attack paths” to illustrate visually how administrative access or full domain compromise could be achieved. Organizations can protect against this type of reconnaissance by changing a Windows registry key to only allow administrators to perform remote SAM queries since, by default, all authenticated domain users can make these queries to gather a considerable amount of information about the AD domain.
drsuapi drsuapi is the Microsoft API that implements the Directory Replication Service (DRS) Remote Protocol which is used to perform replication-related tasks across Domain Controllers in a multi-DC environment. Attackers can utilize drsuapi to create a copy of the Active Directory domain database (NTDS.dit) file to retrieve password hashes for all accounts in the domain, which can then be used to perform Pass-the-Hash attacks to access more systems or cracked offline using a tool such as Hashcat to obtain the cleartext password to log in to systems using remote management protocols such as Remote Desktop (RDP) and WinRM.

NTLM Authentication

Hash/Protocol Cryptographic technique Mutual Authentication Message Type Trusted Third Party
NTLM Symmetric key cryptography No Random number Domain Controller
NTLMv1 Symmetric key cryptography No MD4 hash, random number Domain Controller
NTLMv2 Symmetric key cryptography No MD4 hash, random number Domain Controller
Kerberos Symmetric key cryptography & asymmetric cryptography Yes Encrypted ticket using DES, MD5 Domain Controller/Key Distribution Center (KDC)

NTLM Hash Example


Rachel:500:aad3c435b514a4eeaad3b935b51304fe:e46b9e548fa0d122de7f59fb6d48eaa2:::
  • Rachel is the username
  • 500 is the Relative Identifier (RID). 500 is the known RID for the administrator account
  • aad3c435b514a4eeaad3b935b51304fe is the LM hash and, if LM hashes are disabled on the system, can not be used for anything
  • e46b9e548fa0d122de7f59fb6d48eaa2 is the NT hash. This hash can either be cracked offline to reveal the cleartext value (depending on the length/strength of the password) or used for a pass-the-hash attack.

👉 User and Machine Accounts

▶️ Local Accounts

  • Administrator: this account has the SID S-1-5-domain-500 and is the first account created with a new Windows installation.
  • Guest: this account is disabled by default. The purpose of this account is to allow users without an account on the computer to log in temporarily with limited access rights.
  • SYSTEM: The SYSTEM (or NT AUTHORITY\SYSTEM) account on a Windows host is the default account installed and used by the operating system to perform many of its internal functions.
  • Network Service: This is a predefined local account used by the Service Control Manager (SCM) for running Windows services.
  • Local Service: This is another predefined local account used by the Service Control Manager (SCM) for running Windows services.

▶️ Domain Users

Domain users differ from local users in that they are granted rights from the domain to access resources such as file servers, printers, intranet hosts, and other objects based on the permissions granted to their user account or the group that account is a member of.

Domain user accounts can log in to any host in the domain, unlike local users.

One account to keep in mind is the KRBTGT account. This is a type of local account built into the AD infrastructure. This account acts as a service account for the Key Distribution service providing authentication and access for domain resources. This account is a common target of many attackers since gaining control or access will enable an attacker to have unconstrained access to the domain.

▶️ User Naming Attributes

Attribute Description
UserPrincipalName (UPN) This is the primary logon name for the user. By convention, the UPN uses the email address of the user.
ObjectGUID This is a unique identifier of the user. In AD, the ObjectGUID attribute name never changes and remains unique even if the user is removed.
SAMAccountName This is a logon name that supports the previous version of Windows clients and servers.
objectSID The user’s Security Identifier (SID). This attribute identifies a user and its group memberships during security interactions with the server.
sIDHistory This contains previous SIDs for the user object if moved from another domain and is typically seen in migration scenarios from domain to domain. After a migration occurs, the last SID will be added to the sIDHistory property, and the new SID will become its objectSID.

👊 Domain-joined vs. Non-Domain-joined Machines

  1. Domain-joined :
    • Part of an Active Directory (AD) domain
    • Uses domain credentials (e.g., username@company.local) to log in.
  2. Non-Domain-Joined Machine :
    • Standalone – no central management server.
    • No automatic GPO-based policy enforcement or centralized patching.

👉Active Directory Groups

-> can be used for similar users together and mass assign rights and access. -> There are many built-in groups in AD and also organizations also create their own groups to define rights and privileges, further managing access within the domain

👉👉 Types of Groups

-> AD has two fundamental characteristics: type and scope.

▶️ Group Types

  • group type defines the group’s purpose,
  • When creating a new group, we must select a group type. There are two main types: security and distribution groups. ▶️ security groups
    • assigning permissions and rights to a collection of users instead of one at a time. ▶️ distribution groups
    •  used by email applications such as Microsoft Exchange to distribute messages to group members.
    •  cannot be used to assign permissions to resources in AD environment

      ▶️ Group Scopes

  • group scope shows how the group can be used within the domain or forest.
  • There are three different group scopes that can be assigned when creating a new group.
    1. Domain Local Group
    2. Global Group
    3. Universal Group

  1. Domain Local Group -> Can only be used to manage permissions to domain resources -> Local groups cannot be used in other domains but CAN contain users from OTHER domains. -> Local groups can be nested into (contained within) other local groups but NOT within global groups.

  2. Global Group -> can be used to grant access to resources in another domain. -> can only contain accounts from the domain where it was created. -> global groups can be added to both other global groups and local groups.

  3. Universal Group -> can be used to manage resources distributed across multiple domains and can be given permissions to any object within the same forest. -> It is recommended that administrators maintain other groups (such as global groups) as members of universal groups because global group membership within universal groups is less likely to change than individual user membership in global groups. -> Replication is only triggered at the individual domain level when a user is removed from a global group.

▶️ Nested Group Membership

-> nested groups -> Tools like BloodHound are useful in uncovering privileges

▶️ Group Attributes

cn: The cn or Common-Name is the name of the group in Active Directory Domain Services.

member: Which user, group, and contact objects are members of the group.

groupType: An integer that specifies the group type and scope.

memberOf: A listing of any groups that contain the group as a member (nested group membership).

objectSid: This is the security identifier or SID of the group, which is the unique value used to identify the group as a security principal.

👉 Active Directory Rights and Privileges

Rights and privileges are the cornerstones of AD management and, if mismanaged, can easily lead to abuse by attackers or penetration testers.

-> Rights are typically assigned to users or groups and deal with permissions to access an object such as a file, -> privileges grant a user permission to perform an action such as run a program, shut down a system, reset passwords, etc.

-> AD contains many default or built-in security groups, some of which grant their members powerful rights and privileges which can be abuse if misconfigured.

👉👉 User Rights Assignment

Depending on their current group membership, and other factors such as privileges that administrators can assign via Group Policy (GPO), users can have various rights assigned to their account.

For example, let’s say we can gain write access over a Group Policy Object (GPO) applied to an OU containing one or more users that we control. In this example, we could potentially leverage a tool such as SharpGPOAbuse to assign targeted rights to a user. We may perform many actions in the domain to further our access with these new rights.

  • few Privilege examples
    • SeRemoteInteractiveLogonRight –  right to log onto a host via RDP
    • SeBackupPrivilege – ability to create system backups and could be used to obtain copies of sensitive system files

👉 Security in Active Directory

👉👉 CIA Triad

CIA Triad

The CIA Triad is the foundational model for information security, consisting of:

🔒 Confidentiality

All About Access Control

  • Confidentiality is the effort of keeping data private and ensuring only those with a need to know have access.

✅ Integrity

Is The Data Complete And Authentic

  • Integrity is the assurance that data provided to users has not been tampered with, and that while stored will remain in the same unaltered state.

🌐 Availability

Always UP, Always ACCESSIBLE

  • Ensuring users can reach resources when needed is the name of the game with availability.

🛡️ General AD Hardening

👉 LAPS (Local Administrator Password Solution)

used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement.

👉 Audit Policy Settings (Logging and Monitoring)

Effective logging and monitoring can be used to detect an attacker or unauthorized employee adding a user or computer, modifying an object in AD, changing an account password, accessing a system in an unauthorized or non-standard manner, performing an attack such as password spraying, or more advanced attacks such as modern Kerberos attacks.

👉 Group Policy Security Settings

Group Policy Objects (GPOs) are virtual collections of policy settings that can be applied to specific users, groups, and computers at the OU level. These can be used to apply a wide variety of security policies to help harden Active Directory.

  • Account Policies
  • Local Policies
  • Software Restriction Policies
  • Application Control Policies
  • Advanced Audit Policy Configuration

    👉 Update Management (SCCM/WSUS)

The Windows Server Update Service (WSUS) can be installed as a role on a Windows Server and can be used to minimize the manual task of patching Windows systems. System Center Configuration Manager (SCCM) is a paid solution that relies on the WSUS Windows Server role being installed and offers more features than WSUS on its own.

👉 Group Managed Service Accounts (gMSA)

-> An account managed by the domain that offers a higher level of security than other types of service accounts for use with non-interactive applications, services, processes, and tasks that are run automatically but require credentials to run. -> They provide automatic password management with a 120 character password generated by the domain controller. -> The password is changed at a regular interval and does not need to be known by any user. It allows for credentials to be used across multiple hosts.

👉 Security Groups

  • offer an easy way to assign access to network resources .
  •  They can be used to assign specific rights to the group (instead of directly to the user) to determine what members of the group can do within the AD environment.

👉Account Separation

Administrators must have two separate accounts. One for their day-to-day work and a second for any administrative tasks they must perform.

This can help ensure that if a user’s host is compromised (through a phishing attack, for example), the attacker would be limited to that host and would not obtain credentials for a highly privileged user with considerable access within the domain.

👉 Password Complexity Policies + Passphrases + 2FA

 -> minimum password length should be 12 char and longer for admin users  -> implemente MFA for RDP to any host . this can help to prevent lateral movement.

👉 Limiting Domain Admin Account Usage

All-powerful Domain Admin accounts should only be used to log in to Domain Controllers, not personal workstations, jump hosts, web servers, etc. This can significantly reduce the impact of an attack and cut down potential attack paths should a host be compromised. This would ensure that Domain Admin account passwords are not left in memory on hosts throughout the environment.

👉 Periodically Auditing and Removing Stale Users and Objects

time to time check configuration and auditing AD

👉 Auditing Permissions and Access

periodically perform access control audits to ensure that users only have the level of access required for their day-to-day work. -> audit local admin rights, the number of Domain Admins, and Enterprise Admins to limit the attack surface, file share access, user rights

👉 Audit Policies & Logging

Visibility into the domain is a must. An organization can achieve this through robust logging and then using rules to detect anomalous activity. This can also detect AD enumeration

👉 Using Restricted Groups

Restricted Groups allow for administrators to configure group membership via Group Policy. could be used for various purpose such as controlling membership in the local admin group

👉 Limiting Server Roles

It is important not to install additional roles on sensitive hosts, such as installing the Internet Information Server (IIS) role on a Domain Controller. -> should be installed on a separate standalone web server.

👉🔐 Group Policy Objects (GPOs)

▶️ A Group Policy Object (GPO) is a virtual collection of policy settings that can be applied to user(s) or computer(s). Every GPO has a unique name and is assigned a unique identifier (a GUID). They can be linked to a specific OU, domain, or site. A single GPO can be linked to multiple containers, and any container can have multiple GPOs applied to it. They can be applied to individual users, hosts, or groups by being applied directly to an OU.

GPO settings are processed using the hierarchical structure of AD and are applied using the Order of Precedence rule:

Level Description
Local Group Policy The policies are defined directly to the host locally outside the domain. Any setting here will be overwritten if a similar setting is defined at a higher level.
Site Policy Any policies specific to the Enterprise Site that the host resides in. Remember that enterprise environments can span large campuses and even across countries. So it stands to reason that a site might have its own policies to follow that could differentiate it from the rest of the organization. Access Control policies are a great example of this. Say a specific building or site performs secret or restricted research and requires a higher level of authorization for access to resources. You could specify those settings at the site level and ensure they are linked so as not to be overwritten by domain policy. This is also a great way to perform actions like printer and share mapping for users in specific sites.
Domain-wide Policy Any settings you wish to have applied across the domain as a whole. For example, setting the password policy complexity level, configuring a Desktop background for all users, and setting a Notice of Use and Consent to Monitor banner at the login screen.
Organizational Unit (OU) These settings would affect users and computers who belong to specific OUs. You would want to place any unique settings here that are role-specific. For example, the mapping of a particular share drive that can only be accessed by HR, access to specific resources like printers, or the ability for IT admins to utilize PowerShell and command-prompt.
Any OU Policies nested within other OU’s Settings at this level would reflect special permissions for objects within nested OUs. For example, providing Security Analysts a specific set of Applocker policy settings that differ from the standard IT Applocker settings.

We can manage Group Policy from the Group Policy Management Console, custom applications, or using the PowerShell GroupPolicy module via command line.

Windows performs periodic Group Policy updates, which by default is done every 90 minutes with a randomized offset of +/- 30 minutes for users and computers. This random offset of +/- 30 minutes is set to avoid overwhelming domain controllers by having all clients request Group Policy from the domain controller simultaneously. The period is only 5 minutes for domain controllers to update by default. When a new GPO is created and linked, it could take up to 2 hours (120 minutes) until the settings take effect.

We can issue the command gpupdate /force to kick off the update process.

We can modify the refresh interval via Group Policy by clicking on Computer Configuration --> Policies --> Administrative Templates --> System --> Group Policy and selecting Set Group Policy refresh interval for computers.

👉 Security Considerations of GPOs

-> GPOs can be used to carry out attacks. -> These attacks typically happen when a user has the rights required to modify a GPO that applies to an OU that contains either a user account that we control or a computer.

👉👉Example

tool : bloodhound

 -> Domain Users group can modify the Disconnect Idle RDP GPO due to nested group membership.   -> In this case, we would next look to see which OUs this GPO applies to and if we can leverage these rights to gain control over a high-value user (administrator or Domain Admin) or computer (server, DC, or critical host) and move laterally to escalate privileges within the domain.

cd ../learnings