This post is designed to share some of the information I’ve learned while working through the Active Directory Basics room on TryHackMe. The room introduces the basics of Active Directory at the most fundamental level and is part of the Red Teaming track. I’ll look to post more from this track moving forward.
This post will cover the different objects within AD as well as how these objects are stored and managed using organizational units, group policies and permissions. I’ll then provide a brief overview on trust relationships between domain trees using a hypothetical example of a company expanding its operations.
Please note this article doesn’t cover everything there is to know about Active Directory. If nothing else, this post seeks to provide some basic fundamental knowledge of key aspects.
Active Directory
Let’s assume you’re working for a company, chances are you’ll be using a computer to do your daily tasks. The computer you’re working on is managed by the company and is hooked up to the company network or domain. The company has an IT staff that’s in charge of managing not only the network but the computers and users that are logged into that network. This is done through Active Directory.
Active Directory (AD) can be thought of as a repository used for centralizing the administration of common components of a Windows computer network. Active directory has many functions but two key functions are:
- Centralized Identity Management: All users across the network can be configured from Active Directory with minimum effort.
- Security Policy Management: You can configure security policies directly from Active Directory and apply them to users and computers across the network as needed.
Domain Service (AD DS)
Active Directory Domain Service (AD DS) is the core of Active Directory. AD DS is a service that holds information of all “objects” on a network. Object include users, machines, security groups, shares, etc. Before discussing these objects, it’s worth mentioning what security principals are.
Security Principals
A security principal is an object that can act upon resources in the network depending on the privileges assigned to that object. Users, Machines and Security groups are considered security principals because they can be authenticated by the domain and assigned privileges over resources like files or printers
User objects have two entity types or two types that can be categorized as ‘user’.
- People or employees
- Service accounts which are used by services like IIS and MSSQL when services are running.
Every service requires a user to run that only has privileges needed to run their specific service. For example, the Kerberos authentication service uses the krbtgt service account to conduct service operations.
Machine objects are created for any computer that joins a network. Machine objects are assigned an account just as any regular user but with somewhat limited rights within the domain itself. These accounts are local administrators (Administrator) on the assigned computers and generally not supposed to be accessed by anyone except the computer itself but as with any other account, if you have the password, you can use it to log in.
Security Groups assign access rights to files or other resources to entire groups instead of single users. can have both users, groups, and machines as members. The following security groups are created by default when a domain is created:
- Domain Admin: By default, they can administer any computer on the domain, including the DCs. Members of this group have administrative privileges over the entire domain
- Server Operator: can administer Domain Controllers: can administer Domain Controllers.
- Backup Operator: allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
- Account Operator: can create or modify other accounts in the domain
- Domain Users: Users of a domain.
- Domain Computers: Computers of a domain.
- Domain Controllers: Domain Controllers of a domain.
For the full list, please see: Active Directory Security Groups
Organization Units
Users and computers are stored in hierarchical container objects call Organizational Units (OU). OUs are mainly used to define sets of users with similar policing requirements. In other words, you can apply policies (GPO) to certain OUs depending on the business need. For example, a “Help Desk” OU inside of the IT departments OU (IT) would have a group policy that enables them to reset users’ password in case they get locked out. The finance department OU (Finance) wouldn’t require those type of polices.
You can create custom OUs as needed but Active Directory also provides some OUs:
- Builtin: Contains default groups available to any Windows host.
- Computers: Any machine joining the network will be put here by default. You can move them if needed.
- Domain Controllers: Default OU that contains the DCs in your network.
- Users: Default users and groups that apply to a domain-wide context.
- Managed Service Accounts: Holds accounts used by services in your Windows domain.
Security Groups vs OUs
OUs are used for categorizing users and computers into containers and applying policies with specific configurations pertaining to each set.
Security Groups are used for granting permissions over resources such as accessing a shared folder or network printer
Group Policies
Policies that are applied to Active Directory OUs are managed through Group Policy Objects (GPO). GPOs are collections of settings aimed at either users or computers, allowing a baseline on specific machines and identities. These policies are what allows an administrator to control the AD environment.
To configure Group Policies, you first create a GPO under Group Policy Objects in the Group Policy Management tool:
Then link it to the GPO where you want the policies to apply. The screenshot below shows the Default Domain Policy and RDP Policy are linked to the thm.local domain as a whole, and the Default Domain Controllers Policy is linked to the Domain Controllers OU only.
GPO Distribution
GPOs are distributed to the network via a network share called SYSVOL. This share is stored in the Domain Controller and, by default, points to C:\Windows\SYSVOL\sysvol\ in each DC. Typically all users in a domain have access to this share and updates tend to sync automatically every 2 hours. Users have an ability to force GPO updates manually by opening the command line and typing: gpupdate /force.
Authentication Types
All credentials are stored in the Domain Controllers. Whenever a user tries to authenticate to a service using domain credentials, the service will need to ask the Domain Controller to verify if they are correct. Active Directory uses two protocols to handle Authentication:
- Kerberos: Default authentication protocole
- NetNTLM: Legacy authentication protocol kept for compatibility purposes.
I won’t go into great detail of how each protocol works but I do recommend checking out the links above or the AD Basics Room on TryHackMe for more information on the topic.
Trees Forest and Trust Relationships
Trees
In Active Directory, users, computers and other devices are stored as objects. From a network perspective, these objects are grouped into domains that are identified by a particular naming convention relative to the root domain. For example, if the THM company (thm.local) has operations in both the US and UK, the users, machines, and other objects at both locations are grouped into their respective domains (US & UK). These domains are still part of the overall domain (root domain) but are linked together in a trust hierarchy, forming a tree.
Active Directory supports integrating multiple domains so that you can partition your network into units that can be managed independently. It’s worth mentioning that a new security group here: Enterprise Admins group. This group will grant a user administrative privileges over all of an enterprise’s domains.
Forest
Let’s say THM company expands and acquires another company MHT. MHT has it’s own users, domains and trees however now with the merger, both domain trees need to be able to communicate with each other as part of the overall network. The union of several trees with different namespaces into the same network is known as a forest.
Trust Relationships
Building on the previous example, say a user from one tree needs to access shares on a different tree. For this to happen, domains arranged in trees and forests are joined together by trust relationships. Having a trust relationship between domains allows for the authorization of a user from domain one domain to access resources from another domain.
Trust relationships can be established in two ways:
- One way: The simplest of the two, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorized to access resources on AAA
- Two-way trust: allows both domains to mutually authorize users from the other. By default, joining several domains under a tree or a forest will form a two-way trust relationship.
Closing thoughts
I hope that this post proves to be a helpful resource for Active Directory basics. This is just some of the information I’ve learned while going through the Active Directory Basics room on TryHackMe and hope that it helps the next person either learning about Active Directory or Red Team activities in general. Please feel free to leave feedback on the information provided along with any tips or additional useful resources.
Thanks!