Active Directory is a directory service to store and organize objects on a network (such as computers, users, and devices) provided by Windows. According to Wikipedia, “Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. “

Imagine a large kingdom called TechWorld(Forest), a bustling realm with many departments, towns, and villages (consider as Domain). The kingdom is divided into several regions, each with its own people, resources, and responsibilities( Object ). The kingdom’s ruler, King Admin( Domain Controller) , needs a way to manage all the people and resources efficiently while ensuring everyone has the right permissions and can access the resources they need. This is where the Kingdom’s Directory (Active Directory) comes into play.

What is Active Directory?

The data items are stored and made available to the internal network environment by this Windows-based directory service. It enables the management of authentication and authorization to be centralised. The AD includes crucial data on users, computers, printers, and other network and environment components. For instance, AD may contain user information such as job title, contact information (phone, address, etc.), passwords, groups, and permissions.

The following is a list of Active Directory components that we need to be familiar with:

• Domain Controllers
• Organizational Units
• AD objects
• AD Domains
• Forest
• AD Service Accounts: Built-in local users, Domain users, Managed service accounts
• Domain Administrators

From Internet

Domain Controller

A domain controller is a Windows server that provides Active Directory services and controls the entire domain. It is a form of centralized user management that provides encryption of user data as well as controlling access to a network, including users, groups, policies, and computers. It also enables resource access and sharing. These are all reasons why attackers target a domain controller in a domain because it contains a lot of high-value information.

Organizational Units

(OU’s) are containers within the AD domain with a hierarchical structure. OU helps organize and manage objects such as users, groups, computers, printers, and other resources. OUs are used to simplify administrative tasks, delegate authority, and apply Group Policy to a specific subset of resources within a domain.

Objects

Active Directory Objects can be a single user or a group, or a hardware component, such as a computer or printer. Each domain holds a database that contains object identity information that creates an AD environment, including:

• Users – A security principal that is allowed to authenticate to machines in the domain
• Computers – A special type of user accounts
• GPOs – Collections of policies that are applied to other AD objects

Forest

A Forest in Active Directory (AD) is the highest-level container or boundary that encompasses one or more domains in an Active Directory environment. It provides the overarching structure for organizing multiple domains, and it defines the schema, configuration, and global catalog for the entire Active Directory environment.

From Internet

Domain

A Domain in Active Directory is a fundamental unit of management and security within an AD environment. It is a logical grouping of objects (such as users, computers, and resources) that share a common directory database and security policies.

Example

In a multinational company, you might have a forest called untoldcyber.com. Under this forest, you could have separate domains for different regions, such as:

• us.untoldcyber.com (for the United States)
• eu.untoldcyber.com (for Europe)
• asia.untoldcyber.com (for Asia)

Domain Policy

A domain policy refers to a set of rules and settings that control the behavior and security of user accounts, computers, and other objects within a specific domain. These policies are defined and applied through the Group Policy feature in Windows Server environments, and they help manage and enforce various aspects of the domain, including user authentication, password policies, security settings, and more.

Domain policies are typically managed using the Group Policy Management Console (GPMC). The GPMC allows administrators to create, modify, and apply GPOs across the domain or at specific organizational units (OUs).

Here is a list of a few domain policies below:

• Group Policy Objects (GPOs)
• Password Policies
• Account Lockout Policies
• Kerberos Policies
• Security Policies
• Software Restriction Policies
• Remote Desktop and Remote Access Policies
• Security Filtering and WMI Filtering

Active Directory Enumeration using PowerView

PowerView is a PowerShell tool used for Active Directory (AD) enumeration and exploration. It is part of the PowerSploit framework, a collection of PowerShell scripts and modules designed for penetration testing, security assessments, and red teaming. PowerView enables administrators and security professionals to interact with and gather information about an Active Directory environment.

#Import PowerView Module

Import-Module C:\AD\Tools\PowerView.ps1

#Get current domain

Get-NetDomain

#Get object of another domain

Get-NetDomain -Domain untoldcyber.local

#Get domain SID for the current domain

Get-DomainSID

#Get domain policy for the current domain

Get-DomainPolicy
(Get-DomainPolicy)."system access"

#Get domain policy of another domain

(Get-DomainPolicy -domain untoldcyber.local)."system access"
(Get-DomainPolicy -domain untoldcyber.local)."kerberos policy"
(Get-DomainPolicy -domain untoldcyber.local)."Privilege Rights"
# OR
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges

#Get domain controllers for the current domain

Get-NetDomainController

#Get domain controllers for another domain

Get-NetDomainController -Domain untoldcyber.local

#Get a list of users in the current domain

Get-NetUser
Get-NetUser -Username student1

#Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount

#Search for a particular string in a user’s attributes

Find-UserField -SearchField Description -SearchTerm "built"

#Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetComputer -Domain

Get all groups containing the word “admin” in group name

Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin untoldcyber.local
Get all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse

#test the below command

Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members
Get the group membership for a user
Get-NetGroup -UserName "student1"

#List all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.untoldcyber.local -ListGroups

#Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.untoldcyber.local -Recurse

#Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.untoldcyber.local

#Get locally logged users on a computer (needs remote registry on the target – started by-default on server OS)

Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.untoldcyber.local

#Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedon -ComputerName <servername>

#Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

#Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

#Get all fileservers of the domain

Get-NetFileServer

In conclusion, Active Directory (AD) is a vital component of modern IT infrastructures, providing a centralized system for managing users, computers, and resources across networks. AD serves as the backbone of identity and access management, enforcing security policies, permissions, and user authentication within an organization. Understanding the core concepts of AD—including domains, forests, organizational units (OUs), groups, and trust relationships—is essential for both administrators and security professionals. These concepts help maintain an organized and secure environment for managing vast numbers of users and resources, ensuring smooth operations within an enterprise.

Active Directory enumeration plays a critical role in security assessments and red teaming activities. By gathering detailed information about the AD environment, such as users, groups, domains, domain controllers, and trusts, attackers can identify vulnerabilities, discover potential privilege escalation paths, and plan their attacks. Tools like PowerView help automate and streamline AD enumeration, providing red teamers with a comprehensive view of an organization’s AD structure, which is crucial for identifying security gaps or weaknesses. Effective enumeration can reveal high-value targets, such as Domain Admins, misconfigured permissions, or insecure trusts between domains.

you can visit our website untold cyber to learn more about the latest updates, jobs, and blogs related to Cyber Security. It offers a wealth of information about the cybersecurity field, blogs and course material, bug bounty tricks, and updates on the industry’s latest job openings and carrier in cybersecurity.

If you have any questions or concerns about the Cyber Security interview questions or preparation, please post comments and feedback. Your feedback and comments are important to us, so please let us know what you think!