Skip to main content

Boring Active Directory Basics

Active Directory: From Basics to Advanced

Active Directory: From Basics to Advanced Concepts

The Active Directory Domain Service (AD DS) is a key component of the Windows Domain and serves as a central database or directory of all objects in the network. These objects can include user accounts, group policies, security groups, computer accounts, and more. By storing all this information in one place, AD DS provides a convenient and efficient way to manage and organize resources on the network. It also allows for easy authentication and authorization of users and devices, making it an essential tool for securing and maintaining a Windows Domain. In this blog post, we'll cover the basics of Active Directory, explore advanced concepts, and provide practical code snippets to help you get hands-on experience.

Table of Contents

1. What is Active Directory?

Active Directory is a directory service developed by Microsoft for Windows domain networks. It stores information about objects on the network (e.g., users, computers, printers) and makes this information available to users and administrators.The main idea behind a domain is to centralize the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).

Key Features:

  • Centralized user and resource management.
  • Single sign-on (SSO) for users.
  • Group Policy for managing user and computer settings.
  • Scalability to support large organizations.

2. Key Components of Active Directory

a. Domain

A Windows domain is a group of computers and users managed by a central server called a Domain Controller. It simplifies the administration of a large network by allowing you to configure policies and settings from a central location, apply them to users and computers across the network, and provide remote support and troubleshooting. This is particularly useful for businesses with many computers and users spread across multiple locations.

b. Domain Controller (DC)

A server that runs Active Directory Domain Services (AD DS) and manages user authentication and authorization.

c. Users

Users are one of the most important object types in Active Directory, as they are used to represent both people and services within the organization. As security principals, users can be authenticated by the domain and assigned privileges over resources such as files or printers. This allows them to access the resources they need to do their job, while also ensuring that sensitive data is protected from unauthorized access.

d. Machines

In Active Directory, machines refer to computers that have joined the domain. When a computer joins the domain, a machine object is created in Active Directory, which allows the computer to be managed centrally through Group Policy, as well as enabling authentication and authorization services for users who log in to the computer.

e. Security Groups

Security groups are an important object type in Active Directory and are used to manage access to network resources. By assigning permissions to a security group, you can control access to files, folders, printers, and other resources for all the members of that group.Examples(Domain admins,server operator,backup operator, Account operator, Domain Users

f. Organizational Units (OU)

Organizational Units (OUs) are container objects that help you organize and manage users, computers, and groups in Active Directory. You can use OUs to group objects together based on their department, location, or any other criteria you choose. By doing so, you can apply specific policies or permissions to those objects. However, each user can only belong to one OU at a time.In OU we can manage users and delete departments and protect from accidential delteion by enabling (protect object from accidential deletion). Then we can delegate control over particular user by adding to specified groups like assigning a user for password reset.

g. Manage Users in AD

In an Active Directory domain, it’s important to organize devices according to their use. Workstations, servers, and domain controllers are the most common devices in the network. Workstations are used by users to do their work, servers provide services to users or other servers, and domain controllers manage the Active Directory domain. To better manage these devices, it’s recommended to create separate Organizational Units (OUs) for workstations and servers. The domain controllers are already in an OU created by Windows. These OUs will be created directly under the domain container.

h. Group Policies

Windows manages such policies through Group Policy Objects (GPO). GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.In Group Policies we can configure Minimum length of the password, prohibit user from accessing windows services like "control panel", auto lock screen function etc.

i. Forests, Trees and Trust Relationships

  • Forest: The domains you manage can also be configured in different namespaces. Suppose your company continues growing and eventually acquires another company called Company2 Inc. When both companies merge, you will probably have different domain trees for each company, each managed by its own IT department. The union of several trees with different namespaces into the same network is known as a forest.
  • Tree: Imagine, for example, that suddenly your company expands to a new country. The new country has different laws and regulations that require you to update your GPOs to comply. In addition, you now have IT people in both countries, and each IT team needs to manage the resources that correspond to each country without interfering with the other team. While you could create a complex OU structure and use delegations to achieve this, having a huge AD structure might be hard to manage and prone to human errors.

    Luckily for us, Active Directory supports integrating multiple domains so that you can partition your network into units that can be managed independently. If you have two domains that share the same namespace (company.local in our example), those domains can be joined into a Tree.

    If our company.local domain was split into two subdomains for UK and US branches, you could build a tree with a root domain of company.local and two subdomains called uk.company.local and us.company.local, each with its AD, computers, and users

  • Trust Relationships:Having multiple domains organized in trees and forest allows you to have a nice compartmentalized network in terms of management and resources. But at a certain point, a user at COMPANY UK might need to access a shared file in one of COMPANY ASIA servers. For this to happen, domains arranged in trees and forests are joined together by trust relationships. In simple terms, having a trust relationship between domains allows you to authorize a user from a domain COMPANY UK to access resources from the domain COMPANY EU. The simplest trust relationship that can be established is a one-way trust relationship. In a one-way trust, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorized to access resources on AAA:

e. Schema

Defines the structure and attributes of objects in AD.

3. Setting Up Active Directory

To set up Active Directory, you need to install the Active Directory Domain Services (AD DS) role on a Windows Server.

Step 1: Install AD DS

# Install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 2: Promote the Server to a Domain Controller

# Promote the server to a domain controller
Install-ADDSForest -DomainName "example.com" -DomainNetbiosName "EXAMPLE" -InstallDns

4. Basic AD Operations

a. Creating a User

# Create a new user
New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@example.com" -Path "OU=Users,DC=example,DC=com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true

b. Creating a Group

# Create a new group
New-ADGroup -Name "IT Admins" -SamAccountName "ITAdmins" -GroupCategory Security -GroupScope Global -Path "OU=Groups,DC=example,DC=com"

c. Adding a User to a Group

# Add a user to a group
Add-ADGroupMember -Identity "IT Admins" -Members "jdoe"

5. Advanced AD Concepts

a. Group Policy Objects (GPOs)

GPOs are used to enforce settings and configurations across users and computers in a domain.

Example: Create a GPO

# Create a new GPO
New-GPO -Name "Disable USB Access"

Link GPO to an OU

# Link GPO to an OU
New-GPLink -Name "Disable USB Access" -Target "OU=Computers,DC=example,DC=com"

b. Active Directory Federation Services (AD FS)

AD FS provides single sign-on (SSO) capabilities for external applications.

c. Active Directory Certificate Services (AD CS)

AD CS is used to issue and manage digital certificates.

6. Security Best Practices

  • Implement Least Privilege: Grant users the minimum permissions necessary to perform their tasks.
  • Enable Multi-Factor Authentication (MFA): Add an extra layer of security to user accounts.
  • Regularly Audit AD: Use tools like Microsoft Advanced Threat Analytics (ATA) or Azure Sentinel to monitor and detect suspicious activity.
  • Secure Domain Controllers: Physically secure DCs and limit administrative access.

7. Automating AD Tasks with PowerShell

PowerShell is a powerful tool for automating Active Directory management tasks.

a. Bulk User Creation

# Import users from a CSV file
$users = Import-Csv -Path "C:\Users.csv"
foreach ($user in $users) {
    New-ADUser -Name $user.Name -GivenName $user.FirstName -Surname $user.LastName -SamAccountName $user.SamAccountName -UserPrincipalName "$($user.SamAccountName)@example.com" -Path "OU=Users,DC=example,DC=com" -AccountPassword (ConvertTo-SecureString $user.Password -AsPlainText -Force) -Enabled $true
}

b. Export AD Users

# Export all users to a CSV file
Get-ADUser -Filter * -Properties * | Select-Object Name, SamAccountName, EmailAddress | Export-Csv -Path "C:\ADUsers.csv" -NoTypeInformation

c. Find Inactive Accounts

# Find users who haven't logged in for 90 days
$inactiveDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $inactiveDate} -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate

D. Password Reset For other Users

# Reset other User password as a Domain Admin.
Set-ADAccountPassword TOM -Reset -NewPassword (Read-Host -AsSecureString -Prompt ‘New Password’) -Verbose

F. Password Reset For other Users

# Password change prompt after password reset.
Set-ADUser -ChangePasswordAtLogon $true -Identity TOM -Verbose

8. Conclusion

Active Directory is a powerful tool for managing and securing enterprise environments. By mastering the basics and exploring advanced concepts, you can ensure your organization's AD infrastructure is robust, secure, and efficient. Automation with PowerShell can further streamline your workflows and reduce the risk of human error.

Labels:

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more