Active Directory Basics

Introduction

This post covers the TryHackMe room “Active Directory Basics” which introduces fundamental concepts of Microsoft’s Active Directory service. Active Directory is a critical component in Windows enterprise environments, providing centralized authentication, authorization, and directory services.

Task 2: Windows Domains

In a Windows domain, credentials are stored in a centralised repository called…

Answer: Active Directory
Active Directory (AD) serves as the centralized database that stores all user credentials, computer accounts, and security information for a Windows domain. Unlike standalone workgroups where each computer maintains its own local user database, a domain centralizes this information in AD, allowing for single sign-on and centralized management.

The server in charge of running the Active Directory services is called…

Answer: Domain Controller
Domain Controller (DC) is a Windows Server that hosts the Active Directory Domain Services (AD DS) role. It authenticates users, stores directory data, and manages security policies across the domain. In enterprise environments, multiple domain controllers are typically deployed for redundancy and load distribution.

Task 3: Active Directory

Which group normally administrates all computers and resources in a domain?

Answer: Domain Admins
Domain Admins is a built-in security group in Active Directory that has full administrative privileges over the entire domain. Members of this group can modify any object in the domain, install software on any computer, and manage other administrative accounts. It represents the highest level of administrative access in a domain.

What would be the name of the machine account associated with a machine named TOM-PC?

Answer: TOM-PC$
In Active Directory, computer accounts are automatically created when machines join the domain. The naming convention appends a dollar sign ($) to the computer name. This distinguishes machine accounts from user accounts and follows Microsoft’s standard naming convention for computer objects in AD.

Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

Answer: Organizational Units
Organizational Units (OUs) are container objects in Active Directory designed to organize users, computers, and other objects in a logical hierarchy.

OUs are the recommended method for grouping objects because:

• Group Policy Objects (GPOs) can be linked to OUs.
• Administrative permissions can be delegated at the OU level.
• Provide a logical structure that mirrors organizational departments.
• Enable easier management and policy application.

Task 4: Managing Users in AD

What was the flag found on Sophie’s desktop?

In Phillip account, using Powershell type:

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt ‘New Password’) -Verbose

After entering in Shopie account with the new passord, I found the flag!!

Answer: THM{thanks_for_contacting_support}

Then, again in Phillip cmd:

 Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

This command forces Sophie to change her password at next logon, which is a security best practice after administrative password resets.

The process of granting privileges to a user over some OU or other AD Object is called…

Answer: delegation
Delegation in Active Directory refers to the process of granting specific administrative permissions to users or groups over particular objects or organizational units. This follows the principle of least privilege, allowing administrators to grant only the necessary permissions without providing full domain admin rights.

Task 5: Managing Computers in AD

After organising the available computers, how many ended up in the Workstations OU?

Answer: 7

Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

Answer: yay

Separating servers and workstations into different OUs is a best practice because:

• Different security policies can be applied (servers typically need stricter security).
• Administrative delegation can be more granular.
• Patch management and maintenance schedules often differ.
• Compliance requirements may vary between server and workstation environments.
• Easier inventory management and reporting.

Task 6: Group Policies

What is the name of the network share used to distribute GPOs to domain machines?

Answer: sysvol
YSVOL is a shared folder that exists on all domain controllers and contains the domain’s public files, including Group Policy Objects (GPOs). It’s automatically replicated between domain controllers using either File Replication Service (FRS) or Distributed File System Replication (DFSR). The SYSVOL share is essential for GPO distribution across the domain.

Can a GPO be used to apply settings to users and computers? (yay/nay)

Answer: yay

Group Policy Objects contain both Computer Configuration and User Configuration sections:

• Computer Configuration: Applied when the computer starts up, regardless of who logs in.
• User Configuration: Applied when a user logs in, regardless of which computer they use, this dual capability makes GPOs versatile tools for managing both machine-specific and user-specific settings.

Task 7: Authentication Methods

Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)

Answer: nay

Modern Windows versions prefer Kerberos over NetNTLM (also called NTLM) because:

• Kerberos provides mutual authentication.
• It’s more secure against replay attacks.
• It supports delegation scenarios better.
• NetNTLM is maintained primarily for backward compatibility.
• Kerberos is the default protocol in domain environments since Windows 2000.

When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

Answer: Ticket Granting Ticket

In the Kerberos authentication process:

1. User authenticates and receives a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
2. The TGT is used to request Ticket Granting Service (TGS) tickets for specific services.
3. TGS tickets are then used to access the actual services; The TGT essentially acts as a “master ticket” that proves the user’s identity to request access to specific resources.

When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)

Answer: nay

NetNTLM uses a challenge-response mechanism:

1. Client requests authentication.
2. Server sends a random challenge.
3. Client encrypts the challenge using their password hash.
4. Server verifies the response using the stored password hash. The actual password is never transmitted over the network, only the cryptographic response to the challenge.

Task 8: Trees, Forests and Trusts

What is a group of Windows domains that share the same namespace called?

Answer: Tree

An Active Directory Tree is a collection of domains that share a contiguous namespace. For example:

• Root domain: company.com.
• Child domains: sales.company.com, hr.company.com, it.company.com. All domains in the tree share the same schema and global catalog, and automatic two-way transitive trusts exist between parent and child domains.

What should be configured between two domains for a user in Domain A to access a resource in Domain B?

Answer: A Trust Relationship

Trust relationships enable authentication and authorization between domains. Types include:

• One-way trust: Domain A trusts Domain B (users in B can access resources in A).
• Two-way trust: Mutual trust between domains.
• Transitive trust: Trust extends through multiple domains.
• Forest trust: Trust between entire forests. Without proper trust relationships, cross-domain resource access would not be possible.

Task 9: Conclusion

Click and continue learning!

Answer: No answer needed

This room covered fundamental Active Directory concepts, such as:

• Centralized Management: AD provides centralized authentication and authorization
• Organizational Structure: OUs enable logical organization and policy application
• Security Groups: Different groups provide varying levels of administrative access
• Authentication Protocols: Understanding Kerberos vs NetNTLM is crucial for security
• Cross-Domain Access: Trust relationships enable complex enterprise architectures
• Group Policy: Centralized configuration management across the domain

These concepts form the foundation for understanding more advanced Active Directory attack and defense techniques in cybersecurity.