Active Directory Basics
An overview of basic concepts and functionality provided by Active Directory
Last updated: May 4th, 2023Windows Domains
- Advantages
- Centralised Identity Management
- Security Policies
- Summary
- Windows Domain is a group of users and devices
- Administration is centralised through Active Directory
- The Domain Controller is the server that runs the AD services
- The core of the domain is the AD DS which contains object information
Active Directory
- Objects
- Users
- Security principles; can be assigned privileges over resources
- Represent people and services
- Machines
- Security principles; local administrators; ComputerName$; rotated 120 char passwords
- Security Groups
- Domain Admins
- Admins of entire domain
- Server Operators
- Administer DCs, cannot change admin group memberships
- Backup Operators
- Access any file
- Account Operators
- Create and modify accounts
- Domain Users
- All user accounts
- Domain Users
- All Computers
- Domain Controllers
- All DC's
- Organizational Unit (OUs) vs Security Groups
- OUs are for applying policies
- Security Groups are used to grant permissions over resources.
Group Policy Object (GPO)
- GPO push configurations and security policies to OUs
- GPO distribution is done over the network share; SYSVOL at C:\Windows\SYSVOL\sysvol\
Auth Methods
- Kerberos
- User send username and timestamp, encrypted using a key derived from the password, to the KDC
- KDC sends back a TGT, encrypted with the krbtgt accounts hash, and a session key, encrypted with the user hash
- The client can then request a TGS by sending the username and timestamp, encrypted with the session key, the TGT and a service principle name (SPN) to connect to a service
- The KDC will respond with the TGS, encrypted with the service hash, and a service session key, encrypted with the session key.
- The client will finally send the username and timestamp, encrypted with a service session key, and the TGS to the server.
- NetNTLM
- The client sends an authentication request to the server they want to access.
- The server generates a random number and sends it as a challenge to the client.
- The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
- The server forwards the challenge and the response to the Domain Controller for verification.
- The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
- The server forwards the authentication result to the client.
Trees, Forests, and Trusts
- Trees
- Allow domains to be combined
- Forests
- Trees with different name spaces.
- Trusts
- Allows permissions to be extended to other domains in a tree