Active Directory Domain Service (AD DS)

by
This entry is part 4 of 4 in the series Attack and Defend Active Directory

Views: 10

Overview

  • AD DS acts as a catalog for all objects in a network (users, groups, machines, printers, etc.).
  • Some objects, such as users and machines, are security principals, meaning they can be authenticated and assigned privileges.

Users

  • Represent people (employees) or services (e.g., IIS, MSSQL).
  • Can be authenticated and assigned permissions over resources.

Machines

  • Each computer that joins the domain has a machine account (e.g., DC01$).
  • Machine accounts are local administrators on their own devices.
  • Passwords for machine accounts are auto-rotated and are 120 characters long.

Security Groups

  • Used to assign access rights efficiently to multiple users/machines.
  • Groups can contain users, machines, or other groups.
  • Default security groups:
Security GroupDescription
Domain AdminsFull control over the domain.
Server OperatorsCan manage Domain Controllers but not admin groups.
Backup OperatorsCan access any file for backup purposes.
Account OperatorsCan create/modify user accounts.
Domain UsersIncludes all user accounts.
Domain ComputersIncludes all machines in the domain.
Domain ControllersIncludes all DCs in the domain.
  • Full list available in Microsoft documentation.

Active Directory Users and Computers (ADUC)

  • Used to manage users, groups, and machines in AD.
  • Objects are organized in Organizational Units (OUs), which:
  • Classify users and machines.
  • Apply policies to users with similar roles (e.g., Sales vs. IT).
  • Users can only be in one OU at a time.

Default AD Containers

  • Builtin – Default Windows groups.
  • Computers – Default container for new machines joining the network.
  • Domain Controllers – Contains all DCs.
  • Users – Holds default domain-wide users and groups.
  • Managed Service Accounts – Accounts for Windows services.

Security Groups vs. OUs

FeatureSecurity GroupsOrganizational Units (OUs)
PurposeGrant permissions to resourcesApply policies to users/machines
MembershipUsers can be in multiple groupsA user can be in only one OU
ExampleAccess to a shared folderEnforcing password policies
Series Navigation<< GOAD v2 Installation