Introduction
This article serves as the final installment in the TryHackMe CompTIA Pentest+ series. It aims to familiarize users with foundational Active Directory concepts through both theoretical explanations and hands-on practical tasks, helping them tackle the subsequent “Attractive Directory” room.
Windows Active Directory Basics
Microsoft’s Active Directory is the backbone of the corporate world. It simplifies the management of devices and users within a corporate environment. In this room, we’ll take a deep dive into the essential components of Active Directory.
A Windows domain is a group of users and computers under the administration of a given business. The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).
The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the “objects” that exist on your network. Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others.
Organizational Units (OUs) which are container objects that allow you to classify users and machines. OUs are mainly used to define sets of users with similar policing requirements. The people in the Sales department of your organisation are likely to have a different set of policies applied than the people in IT, for example. Keep in mind that a user can only be a part of a single OU at a time.
- OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn’t make sense to try to apply two different sets of policies to a single user.
- Security Groups, on the other hand, are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be a part of many groups, which is needed to grant access to multiple resources.
Windows manages such policies through Group Policy Objects (GPO). GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.
GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC. All users in a domain should typically have access to this share over the network to sync their GPOs periodically. The SYSVOL share points by default to the C:\Windows\SYSVOL\sysvol\ directory on each of the DCs in the network.
The Enterprise Admins group will grant a user administrative privileges over all of an enterprise’s domains. Each domain would still have its Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise.
Having multiple domains organised in trees and forest allows you to have a nice compartmentalised network in terms of management and resources. But at a certain point, a user at THM UK might need to access a shared file in one of MHT ASIA servers. For this to happen, domains arranged in trees and forests are joined together by trust relationships.
User Types and Group Dynamics
Two types of admins: domain admins (full control over domain) vs. local administrators (limited to specific machines).
Security groups manage permissions; distribution groups are used for email lists.
Users like admin2 and service accounts like SQLService are analyzed to show their privileges.
Practical Active Directory Enumeration Using PowerView
Several PowerView commands are demonstrated:
Get-NetDomainreveals domain-wide configurations.Get-NetUserandGet-NetGroupenumerate users and their properties.Get-DomainPolicyuncovers password and ticket policies.Get-NetComputerlists all domain machines and their operating systems.- Filtering for details like OS (
Windows 10,Server 2019) or checking password set dates enhances reconnaissance.
Details Extracted from Enumeration
Reveals a list of group memberships for users and checks which groups contain specific characters (e.g., capital “V”).
Identifies users with high-level access such as admin2 in the “Domain Admins” group.
Uses Select-Object to extract OS information for systems in the domain.
Demonstrates attempts to locate file servers and validate trust directions (directional vs. transitive).
Authentication and Trust Mechanisms
Kerberos and NTLM are explained as authentication protocols, with Kerberos using tickets.
Trust types: directional (from one domain to another) and transitive (expandable across multiple domains).
TryHackMe COMPTIA Pentest+ | Active Directory Basics Answers
The server in charge of running the Active Directory services is called…
Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)
Can a GPO be used to apply settings to users and computers? (yay/nay)
When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?
When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)
What should be configured between two domains for a user in Domain A to access a resource in Domain B?
Video Walkthrough
