Open in app

Sign in

Write

Sign in

Active Directory Basics: TryHackMe

Tanvi Lalwani
13 min readApr 2, 2023

A Windows domain is a group of computers and users managed by a central server called a Domain Controller. It simplifies the administration of a large network by allowing you to configure policies and settings from a central location, apply them to users and computers across the network, and provide remote support and troubleshooting. This is particularly useful for businesses with many computers and users spread across multiple locations. The main idea behind a domain is to centralize the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).

Active Directory is also the component that allows your school/university to restrict you from accessing the control panel on your school/university machines. Policies will usually be deployed throughout the network so that you don’t have administrative privileges over those computers.

In a Windows domain, credentials are stored in a centralized repository called…

  • Active Directory

The server in charge of running the Active Directory services is called…

  • Domain Controller

Active Directory:

The Active Directory Domain Service (AD DS) is a key component of the Windows Domain and serves as a central database or directory of all objects in the network. These objects can include user accounts, group policies, security groups, computer accounts, and more. By storing all this information in one place, AD DS provides a convenient and efficient way to manage and organize resources on the network. It also allows for easy authentication and authorization of users and devices, making it an essential tool for securing and maintaining a Windows Domain.

Users:

Users are one of the most important object types in Active Directory, as they are used to represent both people and services within the organization. As security principals, users can be authenticated by the domain and assigned privileges over resources such as files or printers. This allows them to access the resources they need to do their job, while also ensuring that sensitive data is protected from unauthorized access.

In addition to representing people who need access to the network, users can also be defined to run specific services such as IIS or MSSQL. These service users have limited privileges and are only authorized to access the resources necessary to run their specific service. This helps to prevent unauthorized access and protect the overall security of the network.

Machines:

In Active Directory, machines refer to computers that have joined the domain. When a computer joins the domain, a machine object is created in Active Directory, which allows the computer to be managed centrally through Group Policy, as well as enabling authentication and authorization services for users who log in to the computer.

Machine objects are also considered security principals, which means they can be authenticated by the domain and assigned privileges over network resources. However, the account associated with a machine object has limited rights within the domain itself and is typically only accessed by the computer itself. The machine account is also a local administrator on the computer, allowing it to perform administrative tasks locally.

Security Groups:

Security groups are an important object type in Active Directory and are used to manage access to network resources. By assigning permissions to a security group, you can control access to files, folders, printers, and other resources for all the members of that group.

Like users and machines, security groups are also considered security principals in Active Directory, which means they can be authenticated and assigned privileges over network resources. You can add users, machines, and even other groups to a security group, making it easy to manage access rights for multiple users and resources at once.

Active Directory Users and Computers:

To configure users, machines, or groups in AD, we have to log in to the DC and run Active Directory Users and Computers as shown in the below screenshot.

Organizational Units (OUs) are container objects that help you organize and manage users, computers, and groups in Active Directory. You can use OUs to group objects together based on their department, location, or any other criteria you choose. By doing so, you can apply specific policies or permissions to those objects. However, each user can only belong to one OU at a time. We can see that we have an OU named THM with 5 child OUs in the below screenshot.

Which group normally administrates all computers and resources in a domain?

  • Domain Admins

What would be the name of the machine account associated with a machine named TOM-PC?

  • TOM-PC$

The machine account name is the computer’s name followed by a dollar sign.

Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

  • Organizational Unit

Task 4: Managing Users in AD

Your first task as the new domain administrator is to check the existing AD OUs and users, as some recent changes have happened to the business. You have been given the following organizational chart and are expected to make changes to the AD to match it:

To begin with this task, we can see that there are only 4 departments mentioned in the above task but we have an additional department which is Research and Development in our current AD. As it was told that it was closed due to budget cuts so we will remove it from the OU.

But as we can see that we were unable to delete it from the OU because OUs are protected against accidental deletion.

So to delete the OU, we need to enable the Advanced Features in the View menu as shown in the below screenshot.

Then right-click the OU and go to Properties as shown in the below snapshot.

And then, click on Object and then uncheck the check box to disable the protection, and then we will try deleting the OU.

And we get a confirmation prompt box for deleting the OU.

Then we will make sure that users are assigned correctly inside each OU and while doing that we noticed that Sales OU had 2 extra users.

We deleted Christine and Robert from Sales and matched it with the diagram.

As it is mentioned that Phillip is in charge of IT support, so we’d probably want to delegate the control of resetting passwords over the Sales, Marketing, and Management OUs to him.

Then we will add Phillip to delegate control, and we will just type Phillip in the enter the object names to select the column and will click on check names and select Phillip.

And click on and you can see that Phillip is been added.

As we are giving him control for resetting the user passwords so we will check on this box as shown below and then click on next and will do the same steps of the rest of the OUs.

Then, we used RDP, to reset Sophie’s password using Philips account.

Using Phillips credentials, THM\phillip and password as Claire2008.

Resetting a user’s password using PowerShell.

After resetting Sophie’s password, we can login into Sophie’s account using the new password.

And we found a flag in Sophie’s account: THM{thanks_for_contacting_support}

The process of granting privileges to a user over some OU or other AD Object is called…

  • Delegation

Task 5: Managing Computers in AD

In an Active Directory domain, it’s important to organize devices according to their use. Workstations, servers, and domain controllers are the most common devices in the network. Workstations are used by users to do their work, servers provide services to users or other servers, and domain controllers manage the Active Directory domain. To better manage these devices, it’s recommended to create separate Organizational Units (OUs) for workstations and servers. The domain controllers are already in an OU created by Windows. These OUs will be created directly under the domain container.

Now we will create two separate OUs for Workstations and Servers under thm.local. Right-click on thm.local, then on new, then on Organizational unit as shown below.

And we created both of the OUs.

Now we will move all the servers in the Server OU from Computers.

And we moved all the PCs and Laptops from computer to Workstation OU.

After organising the available computers, how many ended up in the Workstations OU?

  • 7

Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

  • Yay

Task 6: Group Policies:

Windows manages such policies through Group Policy Objects (GPO). GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.

Let’s dive deep into the group policy management, as we can see that Default Domain Policy and RDP Policy are linked to thm.local domain and Default Domain Controllers Policy is linked to the Domain Controllers. We will then look into Default Domain Policy and as we can see that thm.local domain is only linked to it and we can also notice that we can also apply Security Filtering to GPOs. Each GPO has configurations that apply to computers only and configurations that apply to users only.

As we can see by clicking on settings Default Domain Policy only contains Computer Configurations.

Then right click on Default Domain Policy and click on Edit.

Then to check the minimum length of the password, expand Windows Settings > Security Settings > Account Policies and then click on Password Policy and as we can see that the minimum password length is 7 characters and we have to change it to 10 characters, so right-click on 7 characters and click on Properties.

Change it to 10 characters.

And we can know more information of it by clicking on Explain tab.

We will create a new GPO, right-click on thm.local and select Create a GPO.

Now, expand user configuration > policies > administrative templates > control panel, then click on Prohibit access to Control Panel and PC settings.

Then double-click on Policy setting, and check the enabled button.

Then, we will drag Restricted Control Panel Access into Management, Marketing, and Sales as shown below.

We will create a new GPO named as Auto Lock Screen.

Expand Policies > Windows Settings > Security Settings > Local Policies > Security Options.

Then, we will set the inactivity limit to 5 minutes so that computers get locked automatically if any user leaves their session open. Right click on it, then click on Properties and set it to 300 seconds.

Then, using RDP, login as mark with password M4rk3t1ng.21

And we tried opening the control panel, but we got this error message when a user tries to perform an illegal action.

What is the name of the network share used to distribute GPOs to domain machines?

  • SYSVOL

Can a GPO be used to apply settings to users and computers? (yay/nay)

  • yay

Task 7: Authenication Methods

Kerberos and NetNTLM are two network authentication protocols used in Windows domains. Kerberos is the default protocol in recent versions of Windows and provides a more secure authentication mechanism using encryption and mutual authentication. NetNTLM, on the other hand, is a legacy authentication protocol that is kept for compatibility purposes but is less secure as it sends authentication data in plain text. Whenever a user tries to authenticate to a service using domain credentials, the service will ask the Domain Controller to verify the credentials using one of these protocols.

Kerberos is the default authentication protocol for recent versions of Windows. When a user logs into a service using Kerberos, they are assigned tickets that act as proof of authentication. The user sends their username and a timestamp encrypted using a key derived from their password to the Key Distribution Center (KDC), which creates and sends back a Ticket Granting Ticket (TGT) and a Session Key. When the user wants to connect to a specific service, they use the TGT to request a Ticket Granting Service (TGS) from the KDC, which sends them a TGS and a Service Session Key. The TGS can be sent to the service to authenticate and establish a connection.

NetNTLM works using a challenge-response mechanism where the client sends an authentication request to the server, which generates a random number as a challenge. The client combines their NTLM password hash with the challenge to generate a response and sends it back to the server. The server forwards the challenge and response to the Domain Controller for verification. If the response matches the one calculated by the Domain Controller, the client is authenticated, and access is granted. The user’s password is never transmitted through the network for security.

Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)

  • nay

When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

  • Ticket Granting Ticket

When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)

  • nay

Task 8: Trees, Forests and Trusts

In AD, a root domain (example.com) is surrounded by a collection of subdomains, such as uk.demo.com and ca.demo.com, respectively which is known as Trees. If an organization needs to centrally manage resources and implement policies, it can form a forest (demo1.com and demo2.com).

Multiple domains and subdomains, such as uk.demo1.com and ca.demo1.com, can be managed by an AD security group called Enterprise Admins. If a forest is in place, a one-way or two-way trust relationship should be used to specify who has permission to access resources between trees (such as two root domains like demo1.com and demo2.com).

Objects in demo2.com can access objects in demo1.com, but not the other way around, if demo1.com is set as the trusted domain and demo2.com is set as the trusting domain.

Establishing a trust relationship between domains allows you to authorize users from one domain to access resources in another domain. However, it doesn’t automatically grant access to all resources in the other domain. You still have the control to specify what resources the authorized users can access. Trust relationships can be one-way or two-way, depending on the direction of the access and the mutual authorization of users from both domains.

What is a group of Windows domains that share the same namespace called?

  • Tree

What should be configured between two domains for a user in Domain A to access a resource in Domain B?

  • A trust relationship

--

--

Tanvi Lalwani

Written by Tanvi Lalwani

1 Follower

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams