Active Directory Basics Learning jot

Photo by Zane Lee on Unsplash

Recently, I started to learn some basic knowledge in the field of information, including Nmap scan principles, OWASP TOP 10 vulnerable classification and this topic Active Directory jot.

Active Directory Domain Service Objects


People: like employees.
Services: like IIS or MSSQL.


The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.

Note: Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.

The machine account name is the computer’s name followed by a dollar sign. For example, a machine named DC01 will have a machine account called DC01$.

Other Objects


Organizational Units (OUs)

Mainly used to define sets of users with similar policing requirements.
User can only be a part of a single OU at a time.

Default Organizational Units

BuiltinContains default groups available to any Windows host.
ComputersAll the machines that join a domain (except for the DCs).
Domain ControllersDefault that contains the DCs in your network.
UsersDefault users and groups that apply to a domain-wide context.
Managed Service AccountsHolds accounts used by services in your Windows domain.

Security Groups

Used to grant permissions over resources.

Default Groups

Domain AdminsUsers of this group have administrative privileges over the entire domain.
By default, they can administer any computer on the domain, including the DCs.
Server OperatorsUsers in this group can administer Domain Controllers. They cannot change any administrative group memberships.
Backup OperatorsThey are used to perform backups of data on computers.
Users in this group are allowed to access any file, ignoring their permissions.
Account OperatorsUsers in this group can create or modify other accounts in the domain.
Domain UsersIncludes all existing user accounts in the domain.
Domain ComputersIncludes all existing computers in the domain.
Domain ControllersIncludes all existing DCs on the domain.

Group Policy Objects (GPO)

GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.

GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC, The SYSVOL share points by default to the C:\Windows\SYSVOL\sysvol\ directory on each of the DCs in our network.

Authentication Methods


Used by any recent version of Windows. This is the default protocol in any recent domain.


Active Directory Kerberos Authentication
Active Directory Kerberos Authentication

Refer remake


Legacy authentication protocol kept for compatibility purposes.





NTLMv1 (Net-NTLMv1)


NTLMv2 (Net-NTLMv2)



Active Directory NTLM Authentication

Refer remake

Trees, Forests and Trusts


Root Domain: mks.local (DC-ROOT)
Subdomains: tw.mks.local(DC-TW), jp.mks.local(DC-JP), share the same namespace mks.local)


The domains you manage can also be configured in different namespaces.

Root Domains: mks.local, yee.local
Subdomains: tw.mks.local(DC-TW), jp.mks.local(DC-JP), share the same namespace mks.local)
Subdomains: us.yee.local(DC-US), uk.yee.local(DC-UA), share the same namespace yee.local)

Trust Relationships

In simple terms, having a trust relationship between domains allows you to authorise a user from domain mks to access resources from domain yee.





發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料