Introduction

This article serves as the final installment in the TryHackMe CompTIA Pentest+ series. It aims to familiarize users with foundational Active Directory concepts through both theoretical explanations and hands-on practical tasks, helping them tackle the subsequent “Attractive Directory” room.

Windows Active Directory Basics

Microsoft’s Active Directory is the backbone of the corporate world. It simplifies the management of devices and users within a corporate environment. In this room, we’ll take a deep dive into the essential components of Active Directory.

Microsoft's Active Directory is the backbone of the corporate world. It simplifies the management of devices and users within a corporate environment. In this room, we'll take a deep dive into the essential components of Active Directory.

A Windows domain is a group of users and computers under the administration of a given business. The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).

The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the “objects” that exist on your network. Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others.

Organizational Units (OUs) which are container objects that allow you to classify users and machines. OUs are mainly used to define sets of users with similar policing requirements. The people in the Sales department of your organisation are likely to have a different set of policies applied than the people in IT, for example. Keep in mind that a user can only be a part of a single OU at a time.

  • OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn’t make sense to try to apply two different sets of policies to a single user.
  • Security Groups, on the other hand, are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be a part of many groups, which is needed to grant access to multiple resources.

Windows manages such policies through Group Policy Objects (GPO). GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.

GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC. All users in a domain should typically have access to this share over the network to sync their GPOs periodically. The SYSVOL share points by default to the C:\Windows\SYSVOL\sysvol\ directory on each of the DCs in the network.

The Enterprise Admins group will grant a user administrative privileges over all of an enterprise’s domains. Each domain would still have its Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise.

Having multiple domains organised in trees and forest allows you to have a nice compartmentalised network in terms of management and resources. But at a certain point, a user at THM UK might need to access a shared file in one of MHT ASIA servers. For this to happen, domains arranged in trees and forests are joined together by trust relationships.

User Types and Group Dynamics

Two types of admins: domain admins (full control over domain) vs. local administrators (limited to specific machines).

Security groups manage permissions; distribution groups are used for email lists.

Users like admin2 and service accounts like SQLService are analyzed to show their privileges.

Practical Active Directory Enumeration Using PowerView

Several PowerView commands are demonstrated:

  • Get-NetDomain reveals domain-wide configurations.
  • Get-NetUser and Get-NetGroup enumerate users and their properties.
  • Get-DomainPolicy uncovers password and ticket policies.
  • Get-NetComputer lists all domain machines and their operating systems.
  • Filtering for details like OS (Windows 10, Server 2019) or checking password set dates enhances reconnaissance.

Details Extracted from Enumeration

Reveals a list of group memberships for users and checks which groups contain specific characters (e.g., capital “V”).

Identifies users with high-level access such as admin2 in the “Domain Admins” group.

Uses Select-Object to extract OS information for systems in the domain.

Demonstrates attempts to locate file servers and validate trust directions (directional vs. transitive).

Authentication and Trust Mechanisms

Kerberos and NTLM are explained as authentication protocols, with Kerberos using tickets.

Trust types: directional (from one domain to another) and transitive (expandable across multiple domains).

TryHackMe COMPTIA Pentest+ | Active Directory Basics Answers

 
In a Windows domain, credentials are stored in a centralised repository called…
 

The server in charge of running the Active Directory services is called…

Which group normally administrates all computers and resources in a domain?
 
What would be the name of the machine account associated with a machine named TOM-PC?
 
Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?
 
What was the flag found on Sophie’s desktop?
 
The process of granting privileges to a user over some OU or other AD Object is called…
After organising the available computers, how many ended up in the Workstations OU?
 

Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

What is the name of the network share used to distribute GPOs to domain machines?
 

Can a GPO be used to apply settings to users and computers? (yay/nay)

 
Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)
 

When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

 

When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)

 
What is a group of Windows domains that share the same namespace called?
 

What should be configured between two domains for a user in Domain A to access a resource in Domain B?

 

Video Walkthrough

 

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles