Active Directory Basics

Question 1

Whats an Object in AD?

Answer 1

An object can be defined as ANY resource present within an Active Directory environment.

Question 2

Whats a Schema in AD?

Answer 2

In Active Directory, the schema defines the structure of the directory, including the object classes (e.g., user, group) and their attributes (e.g., name, email). It governs how data is stored and organized in AD.

Question 2

Whats an Attribute in AD?

Answer 2

Every object in Active Directory has an associated set of attributes used to define characteristics of the given object

Question 3

Whats a domain in AD?

Answer 3

A domain is a logical group of objects such as computers, users, OUs, groups, etc.

Question 4

Whats a Forest in AD?

Answer 4

A forest is a collection of Active Directory domains. It is the topmost container and contains all of the AD objects.

Question 5

Whats a Tree in AD?

Answer 5

A tree is a collection of Active Directory domains that begins at a single root domain. A forest is a collection of AD trees. Each domain in a tree shares a boundary with the other domains.

Question 6

Whats a Container in AD?

Answer 6

Container objects hold other objects and have a defined place in the directory subtree hierarchy.

Question 7

Whats a leaf in AD?

Answer 7

Leaf objects do not contain other objects and are found at the end of the subtree hierarchy.

Question 8

How to find an object in AD?

Answer 8

Query for its objectGUID value using PowerShell or search for it by specifying its distinguished name, GUID, SID, or SAM account name

Question 9

Whats a SID in AD?

Answer 9

A security identifier, or SID is used as a unique identifier for a security principal or security group. A SID can only be used once.

Question 10

Whats a DN in AD?

Answer 10

A distinguished name is unique identifier that specifies the object’s location within the Active Directory (AD) hierarchy.

Question 11

Whats a RDN in AD?

Answer 11

A Relative Distinguished Name (RDN) is a single component of the Distinguished Name that identifies the object as unique from other objects.

Question 12

Where must DNs and RDNs be unique?

Answer 12

A DN must be unique in a directory.
An RDN must be unique in an OU.

Question 13

Whats a sAMAccountName in AD?

Answer 13

The sAMAccountName is the user’s logon name

Question 14

Whats a userPrincipalName in AD?

Answer 14

The userPrincipalName attribute is another way to identify users in AD. This attribute consists of a prefix (the user account name) and a suffix (the domain name) in the format of bjones@inlanefreight.local. This attribute is not mandatory.

Question 15

What is a Global Catelog in AD?

Answer 15

A global catalog (GC) is a domain controller that stores copies of ALL objects in an Active Directory forest.

Question 16

What are the two roles of the Global Catelog in AD?

Answer 16

Authorization and Object Search.

Question 17

Whats a RODC?

Answer 17

A Read-Only Domain Controller

Question 18

Whats the point of a RODC?

Answer 18

Has a read-only Active Directory database. No AD account passwords are cached on an RODC (other than the RODC computer account & RODC KRBTGT passwords.) No changes are pushed out via an RODC’s AD database, SYSVOL, or DNS. RODCs also include a read-only DNS server.

Question 19

What is Replication in AD?

Answer 19

AD objects are updated and transferred from one Domain Controller to another. Whenever a DC is added, connection objects are created to manage replication between them. These connections are made by the Knowledge Consistency Checker (KCC) service, which is present on all DCs.

Question 20

What is a Service Principal Name in AD?

Answer 20

An SPN uniquely identifies a service instance.

Question 21

What is GPO in AD?

Answer 21

Group Policy Objects (GPOs) are virtual collections of policy settings. Each GPO has a unique GUID. A GPO can contain local file system settings or Active Directory settings.

Question 22

Whats an ACL in AD?

Answer 22

An Access Control List (ACL) is the ordered collection of Access Control Entries (ACEs) that apply to an object.

Question 23

Whats an ACE in AD?

Answer 23

Each Access Control Entry (ACE) in an ACL identifies a trustee (user account, group account, or logon session) and lists the access rights that are allowed, denied, or audited for the given trustee.

Question 24

What are DACLs in AD?

Answer 24

DACLs define which security principles are granted or denied access to an object; it contains a list of ACEs. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether or not to grant access.

Question 25

What are SACLs in AD?

Answer 25

Allows for administrators to log access attempts that are made to secured objects. ACEs specify the types of access attempts that cause the system to generate a record in the security event log.

Question 26

Whats a FQDN in AD?

Answer 26

An FQDN is the complete name for a specific computer or host. It is written with the hostname and domain name in the format [host name].[domain name].[tld].

Question 27

What is a Tombstone in AD?

Answer 27

A tombstone is a container object in AD that holds deleted AD objects. When an object is deleted from AD, the object remains for a set period of time known as the Tombstone Lifetime, and the isDeleted attribute is set to TRUE. Once an object exceeds the Tombstone Lifetime, it will be entirely removed.

Question 28

Whats the AD recycle bin?

Answer 28

It facilitates the recovery of deleted AD objects. This made it easier for sysadmins to restore objects, avoiding the need to restore from backups. Most of a deleted object’s attributes are preserved.

Question 29

What is the SYSVOL folder or share in AD?

Answer 29

stores copies of public files in the domain such as system policies, Group Policy settings, logon/logoff scripts, and often contains other types of scripts that are executed to perform various tasks in the AD environment. The contents of the SYSVOL folder are replicated to all DCs within the environment using File Replication Services (FRS).

Question 30

What is the dsHeuristics attribute in AD?

Answer 30

A string value set on the Directory Service object used to define multiple forest-wide configuration settings. One of these settings is to exclude built-in groups from the Protected Groups list

Question 31

What is the adminCount attribute in AD?

Answer 31

The adminCount attribute determines whether or not the SDProp process protects a user. If the value is set to 0 or not specified, the user is not protected

Question 32

What is ADUC in AD?

Answer 32

ADUC is a GUI console commonly used for managing users, groups, computers, and contacts in AD

Question 33

What is ADSI Edit in AD?

Answer 33

A GUI tool used to manage objects in AD. It provides access to far more than is available in ADUC and can be used to set or delete any attribute available on an object, add, remove, and move objects as well

Question 34

Whats the NTDS.DIT file in AD?

Answer 34

Its the heart of AD. Its a database that stores AD data such as information about user and group objects, group membership, and, most important to attackers and penetration testers, the password hashes for all users in the domain. . If the setting Store password with reversible encryption is enabled, then the NTDS.DIT will also store the cleartext passwords for all users created or who changed their password after this policy was set

Question 35

What’s MSBROWSE in AD?

Answer 35

MSBROWSE is a Microsoft networking protocol that was used in early versions of Windows-based local area networks (LANs) to provide browsing services

Question 36

Name some common AD objects

Answer 36

Users, Contacts, Printers, Computers, Shares, Groups, OUs, Domains, DCs, SItes,

Question 37

Whats a site in AD?

Answer 37

A set of computers across one or more subnets connected using high-speed links. They are used to make replication across domain controllers run efficiently.

Question 38

Whats an FSP in AD?

Answer 38

A foreign security principal.

Question 39

Whats the purpose of FSPs in AD?

Answer 39

THey represent a security principal that belongs to a trusted external forest. They are created when an object from an external forest is added to a group in the current domain. They are created automatically after adding a security principal to a group. They are a placeholder object that holds the SID of the foreign object .Windows uses this SID to resolve the object’s name via the trust relationship.

Question 40

What are the five Flexible Single Master Operation (FSMO) roles?

Answer 40

Schema Master, Domain Naming Master, Relative ID (RID) Master, PDC Emulator and Infrastructure Master

Question 41

What is the Schema Master FSMO role?

Answer 41

Manages the read/write copy of the AD schema, which defines all attributes that can apply to an object in AD.

Question 42

What is the Domain Naming Master FSMO role?

Answer 42

Manages domain names and ensures that two domains of the same name are not created in the same forest.

Question 43

What is the Relative ID (RID) Master FSMO role?

Answer 43

Assigns blocks of RIDs to other DCs within the domain that can be used for new objects. The RID Master helps ensure that multiple objects are not assigned the same SID. Domain object SIDs are the domain SID combined with the RID number assigned to the object to make the unique SID.

Question 44

What is the PDC Emulator FSMO role?

Answer 44

The host with this role would be the authoritative DC in the domain and respond to authentication requests, password changes, and manage Group Policy Objects (GPOs). The PDC Emulator also maintains time within the domain.

Question 45

What is the Infrastructure Master FSMO role?

Answer 45

Translates GUIDs, SIDs, and DNs between domains. This role is used in organizations with multiple domains in a single forest. The Infrastructure Master helps them to communicate. If this role is not functioning properly, Access Control Lists (ACLs) will show SIDs instead of fully resolved names.

Question 46

What are functional levels in AD?

Answer 46

Functional Levels in Active Directory define the features available based on the Windows Server version of the domain controllers. There are Domain Functional Levels and Forest Functional Levels.

Question 47

What kinds of trusts are there in AD?

Answer 47

Parent-child, Cross-link, External, Tree-root and Forest.

Question 48

What is a Parent-child trust in AD?

Answer 48

Domains within the same forest. The child domain has a two-way transitive trust with the parent domain.

Question 49

What is a Cross-link trust in AD?

Answer 49

A trust between child domains to speed up authentication.

Question 50

What is an External Trust in AD?

Answer 50

A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering.

Question 51

What is a Tree-root trust in AD?

Answer 51

A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.

Question 52

What is Forest trust in AD?

Answer 52

A transitive trust between two forest root domains.

Question 53

What is transitive trust in AD?

Answer 53

A trust relationship where if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C. This type of trust allows trust to extend across multiple domains or forests.

Question 54

What is non-transitive trust in AD?

Answer 54

A trust that is limited to the two domains directly involved. If Domain A trusts Domain B, Domain A does not automatically trust any other domains that Domain B trusts.

Question 55

Whats a bidirectional trust in AD?

Answer 55

Users from both trusting domains can access resources.

Question 56

Whats a one way trust in AD?

Answer 56

Only users in a trusted domain can access resources in a trusting domain, not vice-versa. The direction of trust is opposite to the direction of access.

Question 57

Whats the first step of kerberos?

Answer 57

The user logs on, and their password is converted to an NTLM hash, which is used to encrypt the TGT ticket. This decouples the user’s credentials from requests to resources.

Question 58

Whats the seccond step of kerberos?

Answer 58

The KDC service on the DC checks the authentication service request (AS-REQ), verifies the user information, and creates a Ticket Granting Ticket (TGT), which is delivered to the user.

Question 59

Whats the third step of kerberos?

Answer 59

The user presents the TGT to the DC, requesting a Ticket Granting Service (TGS) ticket for a specific service. This is the TGS-REQ. If the TGT is successfully validated, its data is copied to create a TGS ticket.

Question 60

Whats the fourth step of kerberos?

Answer 60

The TGS is encrypted with the NTLM password hash of the service or computer account in whose context the service instance is running and is delivered to the user in the TGS_REP.

Question 61

Whats the fifth step of kerberos?

Answer 61

The user presents the TGS to the service, and if it is valid, the user is permitted to connect to the resource (AP_REQ).

Question 62

How long can a LM hash be?

Answer 62

14 characters

Question 63

What happens to a password before it is hashed with LM hash function?

Answer 63

It is converted to uppercase

Question 64

How does NTLM authentication work?

Answer 64

Client -> NEGOTIATE_MESSAGE
Server -> CHALLENGE_MESSAGE
Client -> AUTHENTICATE_MESSAGE

Question 65

What is MSCache2 in AD?

Answer 65

Domain cached credentials are where hosts save the last ten hashes for any domain users that successfully log into the machine in the HKEY_LOCAL_MACHINE\SECURITY\Cache registry key.

Question 66

What is the ‘Security’ group type in AD?

Answer 66

For ease of assigning permissions and rights to a collection of users instead of one at a time.

Question 67

What is the ‘Distribution’ group type in AD?

Answer 67

Used by email applications to distribute messages to group members. They function like mailing lists. Cannot be used to assign permissions to resources in a domain environment.

Question 68

What is the ‘Domain Local’ group scope in AD?

Answer 68

Can only be used to manage permissions to domain resources in the domain where it was created. Local groups cannot be used in other domains but CAN contain users from OTHER domains.

Question 69

What is the ‘Global’ group scope in AD?

Answer 69

Can be used to grant access to resources in another domain. Can only contain accounts from the domain where it was created. Global groups can be added to both other global groups and local groups.

Question 70

What is the ‘Universal’ group scope in AD?

Answer 70

Can contain users, groups, and computers from any domain within the same forest. Used for managing cross-domain resources. Changes trigger forest-wide replication. Best practice is to add global groups as members to reduce replication overhead.

Question 71

Under what condition can a global group be converted to a universal group?

Answer 71

If it is NOT part of another Global Group.

Question 72

Under what condition can a Domain Local Group be converted to a Universal Group?

Answer 72

If the Domain Local Group does NOT contain any other Domain Local Groups as members.

Question 73

Under what condition can a Universal Group be converted to a Global Group?

Answer 73

If it does NOT contain any other Universal Groups as members.

Question 74

Name some common attributes for a group object in AD

Answer 74

cn - common name
member - who is member of group
groupType - type and scope
memberOf - member of which groups
objectSid - SID of group

Question 75

Describe the ‘account operators’ builtin group

Answer 75

Members can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers

Question 76

Describe the ‘administrators’ builtin group

Answer 76

Members have full and unrestricted access to a computer or an entire domain if they are in this group on a Domain Controller

Question 77

Describe the ‘backup operators’ builtin group

Answer 77

Members can back up and restore all files on a computer, regardless of the permissions set on the files.

Question 78

Describe the ‘dns admins’ builtin group

Answer 78

Members have access to network DNS information

Question 79

Describe the ‘domain admins’ builtin group

Answer 79

Members have full access to administer the domain and are members of the local administrator’s group on all domain-joined machines.

Question 80

Describe the ‘enterprise admins’ builtin group

Answer 80

Membership in this group provides complete configuration access within the domain. The group only exists in the root domain of an AD forest

Question 81

Describe the ‘Group Policy Creator Owners’ builtin group

Answer 81

Members create, edit, or delete Group Policy Objects in the domain.

Question 82

Describe the ‘protected users’ builtin group.

Answer 82

Members of this group are provided additional protections against credential theft and tactics such as Kerberos abuse

Question 83

Describe the ‘SeRemoteInteractiveLogonRight’ privilege

Answer 83

This privilege could give our target user the right to log onto a host via Remote Desktop (RDP), which could potentially be used to obtain sensitive data or escalate privileges.

Question 84

Describe the ‘SeBackupPrivilege’ privilege

Answer 84

This grants a user the ability to create system backups and could be used to obtain copies of sensitive system files that can be used to retrieve passwords such as the SAM and SYSTEM Registry hives and the NTDS.dit Active Directory database file.

Question 85

Describe the ‘SeDebugPrivilege’ privilege

Answer 85

This allows a user to debug and adjust the memory of a process. With this privilege, attackers could utilize a tool such as Mimikatz to read the memory space of the Local System Authority (LSASS) process and obtain any credentials stored in memory.

Question 86

Describe the ‘SeImpersonatePrivilege’ privilege

Answer 86

This privilege allows us to impersonate a token of a privileged account such as NT AUTHORITY\SYSTEM. This could be leveraged with a tool such as JuicyPotato, RogueWinRM, PrintSpoofer, etc., to escalate privileges on a target system.

Question 87

Describe the ‘SeLoadDriverPrivilege’ privilege

Answer 87

A user with this privilege can load and unload device drivers that could potentially be used to escalate privileges or compromise a system.

Question 88

Describe the ‘SeTakeOwnershipPrivilege’ privilege

Answer 88

This allows a process to take ownership of an object. At its most basic level, we could use this privilege to gain access to a file share or a file on a share that was otherwise not accessible to us.

Question 89

How to view the privileges of the current user?

Answer 89

whoami /priv

Question 90

List some common group policies in AD

Answer 90

Account Policies
Local Policies
Software Restriction Policies
Application Control Policies
Advanced Audit Policy Configuration

Question 91

What is a Group Managed Service Account:

Answer 91

A GMSA is an account managed by the domain that offers a higher level of security than other types of service accounts for use with non-interactive applications, services, processes, and tasks that are run automatically but require credentials to run

Question 92

Which AD objects can group policy be applied to?

Answer 92

Computers and Users

Question 93

List some common group policies in AD

Answer 93

screen lock timeout
disabling USB ports
enforcing a custom domain password policy
installing software
managing applications
customizing remote access settings

Question 94

What is the oder of precedense in AD? LSDOU

Answer 94

The order that decides which group policies will take effect:
Local
Site
Domain
Organizational Unit – highest precedense

Question 95

What happens if there are no conflicts from any GPOs in the order of precedence?

Answer 95

A combination of all polciies apply.

Question 96

What happens if there are conflicts from any GPOs in the order of precedence?

Answer 96

The lowest policy in the order of precedence applies.

Question 97

What if there are conflicts and one GPO is ‘enforced’?

Answer 97

The enforced GPO will take precedence.

Question 98

What if a Default Domain Policy GPO is enforced?

Answer 98

Regardless of which GPO is set to enforced, if the Default Domain Policy GPO is enforced, it will take precedence over all GPOs at all levels.

Question 99

What if the Block inheritance option is set on an OU?

Answer 99

Policies higher up (such as at the domain level) will NOT be applied to this OU.

Question 100

How can we force a GPO update in AD with Powershell?

Answer 100

gpupdate /force

Question 101

Which piece of software allows for editing of GPOs

Answer 101

GPMC (Group Policy Management)