Each item in an AD is an Object. There are two types of objects : containers and non-containers. Non container objects are also known leaf nodes.
Data present in AD is presented hierarchically but stored in flat database rows and columns. The Directory Information Tree (DIT) file is an Extensible Storage Engine (ESE) database file.
Domain, Forests, and OUs make up the core of AD. Forest defines a single directory and a security boundary. Forests contain domains.
They partition forests into smaller sections. Domains contain OUs.
AD uses DNS as the primary location mechanism. When any AD operation like authentication, updating, and deletion of users or computers, is performed, domain joined computers use DNS to locate the DC. DCs use DNS to locate each other. Finding the DC is necessary to log-in to the network.
It is made up of several components -> Four interfaces, three service components, and the directory where data is stored.
- LDAP
- Replication (REPL) and DC management interface.
- Messaging API (MAPI)
- Security Accounts Manager (SAM)
- Directory System Agent (DSA)
- Database layer
- Extensible Storage Engine (ESE)
- GUID or Globally Unique Identifier is Microsoft's implementation of Universally Unique Identifier. It is 128-bit in size.
- The object's GUID is permanent until it's deleted, even if it is renamed or moved within DIT.
A Windows domain is a group of users and computers under the administration of a given business. The domain centralises the administration of common components of a Windows computer network in a single repository called Active Directory (AD).
The server that runs the Active Directory services is known as a Domain Controller (DC). User credentials are available on all systems in the network.
Users are also known as Security Principals (SP), meaning they can be authenticated by the DC and granted privileges over resources like files and printers. A SP is an object that can act upon resources in the network.
Users can represent two types of identities → People (representing persons in an organisation like employees); Services (Users can be defined to be used by services like IIS and MSSQL. Every service will require a user to run, but those are different from regular users and will only have the necessary permissions required to run that service.)
- Complete first name plus last name -> joe.smith
- First name initial and complete last name -> jsmith
- First three letters of first and last name -> joe.smith
- First name and employeeID -> joe123
- Three random letters and three numbers -> asd542
Some legacy applications only allow 8 chars for username.
For every computer joining the domain, a machine object will be created. They are also considered as SP. Machine accounts themselves are local admins on the assigned computer, they are generally not supposed to accessed by anyone except the computer itself.
Machine Account passwords are automatically rotated and generally comprise of
$120$ random characters. MAs can be identified by a ‘$’ sign at the end of a computer’s name.
Groups allow better management of user access rights to resources. Users added to a group will inherit the group privileges. SGs are also considered as SPs. Groups can have both users and machines as members. If needed, groups can include other groups as well.
Security Groups are listed in Discretionary Access Control Lists (DACLs), which define permissions on resources and objects.
💡 Permissions are different from user rights. Permissions are assigned to a security group for shared resources and are associated with objects, while user rights apply to user accounts.AD usually has 2 types of groups →
- Security Groups → Used to assign permissions to shared resources.
- Distribution Groups → Used to create email distribution lists.
All the administrative groups and members of those groups are protected by a background process that perodically checks for and applies a security descriptor. This descriptor is a data structure that contains security information that’s associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups is overwritten with the protected settings. The security descriptor is present on the
AdminSDObject. To modify the permissions on one of the service administrator groups or any of its member accounts, theAdminSDObjectsecurity descriptor can be modified.
There are several SGs in a domain →
Members of this group can remotely query authorization attributes and permissions for resources on the computer.
The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.
Members of the Account Operators group can't manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group can't modify user rights.
Members of the Administrators group have complete and unrestricted access to the computer. If the computer is promoted to a domain controller, members of the Administrators group have unrestricted access to the domain.
Members of the following groups can modify the Administrators group membership: the default service Administrators, Domain Admins in the domain, and Enterprise Admins.
This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
The purpose of this security group is to manage a read-only domain controller (RODC) password replication policy. This group has no members by default, and it results in the condition that new RODCs don't cache user credentials.
The Denied RODC Password Replication group contains various high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group. See Denied RODC Password Replication
Users in this group can perform data backups on computers, usually domain controllers, regardless of the permissions that protect those files.
Backup Operators also can log on to and shut down the computer. This group can't be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Members of this group can’t modify neither the membership of any Administrative groups nor can change sever settings or modify the configuration of the directory, they do have the permission to replace files (including OS files) on Domain Controllers. Because they can replace files on DCs, they are considered service administrators.
Members of the following groups can modify Backup Operators group membership: default service Administrators, Domain Admins, and Enterprise Admins.
Members of this group can connect to certification authorities in the enterprise.
Members of this group are authorized to publish certificates for User objects in AD.
Members of the Cloneable Domain Controllers group that are domain controllers may be cloned.
Members of this group are authorized to perform cryptographic operations.
Passwords of members of the Denied RODC Password Replication group can't be replicated to any RODC. The purpose of this security group is to manage a RODC password replication policy. This group contains various high-privilege accounts and security groups.
Default members of this group are → Cert Publishers, Domain Admins, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-Only Domain Controllers, Schema Admins.
The default configuration shouldn’t be changed for this security group. This group currently is not used in Windows.
Members of this group can create, delete, and manage different areas of the server's scope, including the rights to back up and restore the Dynamic Host Configuration Protocol (DHCP) database. Even though this group has administrative rights, it isn't part of the Administrators group because this role is limited to DHCP services.
Members of the DHCP Users group can see whi\h scopes are active or inactive, see which IP addresses are assigned, and view connectivity issues if the DHCP server isn't configured correctly. This group is limited to read-only access to the DHCP server.
Members of the Distributed COM Users group can launch, activate, and use Distributed COM objects on the computer.
Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master (also called the flexible single master operations or FSMO) role.
Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients, like for DHCP servers. A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update.
Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. The Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the DCs. This group is the default owner of any object that’s created in AD by any member of any group. If the members of the group create other objects, such as files, the default owner is the Administrators group.
The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain.
Members of the service administrator groups in its domain (Administrators and Domain Admins) and members of the Enterprise Admins group can modify Domain Admins membership
This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that’s created automatically becomes a member of this group.
Includes all existing DCs on the domain. New domain controllers are automatically added to this group.
The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
Includes all existing user accounts in the domain.
The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. The group is a Universal group if the domain is in native mode. The group is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, like adding child domains.
By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access to configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Members of the default service administrator groups in the root domain can modify Enterprise Admins membership. This group is considered a service administrator account.
Members of this group can perform administrative actions on key objects within the forest.
Members of this group are RODCs in the enterprise. Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes can't be made to the database that's stored on the RODC. Changes must be made on a writable domain controller and then replicated to the RODC.
RODCs address some of the issues that are commonly found in branch offices. These locations might not have a domain controller, or they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it.
Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
This group is authorized to create, edit, and delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
When a member of the Guests group signs out, the entire profile is deleted. The profile deletion includes everything that's stored in the
%userprofile%directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This fact implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting.
The Guest account is disabled by default. It does not require a password, so people who don’t have an account (or a user whose account is temporarily disabled) in the domain can use this account.
Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group and further separates access.
IIS_IUSRS is a built-in group that's used by Internet Information Services (IIS) beginning with IIS 7. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that the new account and group use are never localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS_IUSRS.
Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.
To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including SIDs for users and groups.
This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (FSMO) role. This group can't be renamed, deleted, or removed.
Members of this group can perform administrative actions on key objects within the domain.
Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features →
- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
- Rename the LAN connections or remote access connections that are available to all the users.
- Enable or disable a LAN connection.
- Modify the properties of all remote access connections of users.
- Delete all the remote access connections of users.
- Rename all the remote access connections of users.
- Issue
ipconfig,ipconfig /release, andipconfig /renewcommands. - Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (FSMO) role. This group can't be renamed, deleted, or removed.
Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group →
- Can use all the features that are available to the Performance Monitor Users group.
- Can create and modify Data Collector Sets after the group is assigned the Log on as a batch job user right.
- Can't use the Windows Kernel Trace event provider in Data Collector Sets.
For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the Log on as a batch job user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console (MMC).
This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (FSMO) role. This account can't be renamed, deleted, or moved.
Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is an MMC snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in various ways.
Specifically, members of this security group:
- Can use all the features that are available to the Users group.
- Can view real-time performance data in Performance Monitor.
- Can change the Performance Monitor display properties while viewing data.
- Can't create or modify Data Collector Sets.
Members of the Performance Monitor Users group can't configure Data Collection Sets.
This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (FSMO) role. This group can't be renamed, deleted, or removed.
Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.
It is a sub-division within AD which logically groups users, groups, and computers. A user can be only a part of a single OU at a time. OUs are protected against accidental deletion.
💡 OUs are handy for applying policies to users and computers while Security Groups, on the other hand, are used to grant permissions over resources.One of the nice things you can do in AD is to give specific users some control over some OUs. This process is known as delegation and allows you to grant users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator to step in.
If the user has sufficient privileges, domain password can then be reset using the Set-ADAccountPassword PowerShell cmdlet.
- Workstations should never have a privileged user signed into them.
- DCs contain hashed passwords and secrets for all the user in the environment.
These refer to the collection of settings that can be applied to OUs, this is achieved through Group Policy Objects (GPOs). Each GPO has configurations that apply to computers only and configurations that apply to users only.
GPOs are distributed to the network via a network share called SYSVOL. All users in the domain should typically have access to this share over the network to sync their GPOs periodically. The SYSVOL share points by default to the C:\\Windows\\SYSVOL\\sysvol\\ directory on each of the DCs in our network. gpupdate /force can be used to force update the GP across the domain.
The schema is a forest level description of all objects.
A copy of schema exists with each DC. It is also important for the AD Data Store to provide object definitions and to enforce data integrity. The Replication Services ensures consistency across all DCs.