aex.red

Active Directory

Active Directory

Active Directory is Microsoft’s directory service for centralised identity, authentication, and authorisation in Windows enterprise environments.

Key Components

ComponentDescription
DomainLogical grouping of objects (users, computers, groups) sharing a common namespace
Domain Controller (DC)Server hosting AD DS, running Kerberos KDC and LDAP
ForestOne or more domains sharing a schema, configuration, and global catalogue
TreeDomains in a contiguous namespace hierarchy within a forest
TrustRelationship allowing one domain to authenticate users from another
OU (Organisational Unit)Container for objects; used to apply GPOs and delegate admin
Global Catalogue (GC)Partial replica of all forest objects; used for cross-domain queries
FSMO RolesFive special roles: PDC Emulator, RID Master, Infrastructure Master, Schema Master, Domain Naming Master

Objects

Users: sAMAccountName, userPrincipalName, distinguishedName, objectSID

Groups:

ScopeDescription
Domain LocalMembers from anywhere; used to assign permissions within the domain
GlobalMembers from same domain; used to represent job roles
UniversalMembers from any domain; used across forest trusts

Computers: Every domain-joined machine has a computer account (HOSTNAME$).

Authentication

  • Kerberos — primary auth protocol. Ticket-based. See Kerberos
  • NTLM — legacy challenge-response. Used when Kerberos fails. See NTLM
  • LDAP — used to query the directory

Group Policy (GPO)

Group Policy Objects apply configuration to users and computers in OUs, domains, or sites.

# View applied GPOs
gpresult /r
gpresult /h report.html
 
# Force apply
gpupdate /force

GPO link order: Site → Domain → OU. Lower OU wins unless blocked/enforced.

Security-relevant GPO settings:

  • Password policy (complexity, length, history, lockout)
  • AppLocker / Software Restriction Policies
  • Audit policy (which events to log)
  • Restricted Groups (local admin membership)
  • WinRM/PowerShell Remoting settings
  • LAPS (Local Administrator Password Solution) deployment

AD LDAP Structure

DC=example,DC=com
  ├── CN=Users
  │     ├── CN=John Smith
  │     └── CN=Domain Admins
  ├── CN=Computers
  ├── OU=London
  │     ├── OU=Workstations
  │     └── OU=Servers
  └── CN=Builtin

Common LDAP queries:

# All users
ldapsearch -H ldap://dc.example.com -x -b "DC=example,DC=com" "(objectClass=user)"
 
# Domain admins
ldapsearch -H ldap://dc.example.com -x -b "DC=example,DC=com" "(memberOf=CN=Domain Admins,CN=Users,DC=example,DC=com)"
 
# Using PowerShell
Get-ADUser -Filter * -Properties *
Get-ADGroupMember "Domain Admins"
Get-ADComputer -Filter * -Properties *

Trusts

Trust TypeDescription
Parent-childAutomatic, transitive, bidirectional within forest
Cross-linkShortcut between domains in same forest (performance)
ExternalNon-transitive, one-way or two-way, between separate forests
ForestTransitive trust between forest root domains
RealmBetween Windows and non-Windows Kerberos realm

Transitive trusts mean: if A trusts B and B trusts C, then A trusts C.

SID Filtering — applied on external trusts to prevent SID history abuse.

Key Security Features

FeatureDescription
Protected Users groupPrevents weaker auth (NTLM, RC4, credential caching) for members
Credential GuardVirtualisation-based isolation of LSASS credentials
LAPSRandomises local admin passwords per machine
Tiered admin modelSeparate admin accounts for tier 0 (DC), tier 1 (servers), tier 2 (workstations)
PAWPrivileged Access Workstations — dedicated devices for admin tasks

Quick Enumeration Commands

# Domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-ADDomain
 
# Users
Get-ADUser -Filter * | Select SamAccountName,Enabled,LastLogonDate
Get-ADUser -Filter {AdminCount -eq 1}   # Protected admin accounts
 
# Groups
Get-ADGroup -Filter * | Select Name,GroupScope
Get-ADGroupMember "Domain Admins" -Recursive
 
# Computers
Get-ADComputer -Filter * -Properties OperatingSystem | Select Name,OperatingSystem
 
# OUs and GPOs
Get-ADOrganizationalUnit -Filter *
Get-GPO -All

See Also

Graph View

Backlinks