Active Directory (AD)
Active Directory is a centralized database of every network resource:
- π₯οΈ Computers, Servers, Printers
- π§βπΌοΈ Users and Groups
- π§οΈ Permissions to access files/apps/...
- βοΈοΈ Policies (ex: password length/...)
- π‘ Shared folders/drives
- ...
It provides services to manage and authenticate these resources. It's a centralized and highly scalable tool that is used by many large organizations (with many employees, multiple offices/sites...).
β‘οΈ LDAP is a protocol used to communicate with Active Directory.
Active Directory Domain Services (ADDS) is the main service that system admins will interact with. π Because of that, Active Directory and ADDS are often used interchangeably.
It's widely used to manage organizations/schools/... They can configure for each user or group of users:
- π― What files/folders/shared they can access
- π‘ Which application they can launch
- ...
- πΏ Basically, their permissions over every resource
π For users, it's convenient, as they log in once, from any machine over the network, and they can access their files/...
Forests and domains
A schema πͺ¨ is a definition of an entity, such as a user. It defines its attributes such as "Firstname", "Lastname"... A schema can be extended, meaning, we can add new attributes.
An Object π° is a concrete instance of a schema. For instance, the user "John Doe", the computer "PC-B2006-06", or the printer XXX...
A domain 𧡠is a logical group of objects... For instance, the domains example.com, eu.example.com, and na.example.com... eu and na are subdomains of example.com. The tree is called domain tree πΈοΈ.
π You should own the domain name to avoid merging problems.
There is at least one Domain controller π (DC) on each domain. It's used to manage objects on the domain. They all have their own database to store information about their objects.
A site ποΈ is a group of objects that are physically located in the same place, such as a branch office. We usually have one DC per site, which can mean multiple DCs for one domain. The DC is replicated, which allows for faster response times and reduces network traffic.
A forest π΄ is a collection of one or more domain trees. They share a common schema, along with configurations, and global catalogs.
A global catalog π° stores a copy of the most used attributes of every object, allowing us to search for objects across the whole forest.
Getting started
If starting from scratch, you will create a forest π΄, with only one domain inside π§΅, for instance, example.com. To do so, you will need a computer that will serve as a domain controller π.
You will install on this computer Windows Server 2019/2022/... As a student, you can get an image for free on azure website.
β‘οΈ If you're using Virtual Box, see these notes.
After installing the ISO, when starting the machine, the Server Manager will automatically open itself. From there, you will be able to install ADDS and many other services/tools π.
Where to learn?
Before installing ADDS, you should:
Freeze and configure your server IP address
π This is a best practice to give a fixed IP address to your domain controller before installing ADDS.
- Control Panel
- Network and Internet
- Network And Sharing Center
- Select your network (ex: Ethernet 2)
- Properties > IPV4 > Properties
- IP: X.X.X.2
- Mask: 255.255.255.0
- Default gateway: X.X.X.1
- DNS: X.X.X.2
Set your DC name
π This is optional too. The DC name can be used to reference commands. For instance, you will be able to use the name instead of the IP address.
- Click on "Local Server"
- Click on your computer name (in blue)
- Click on "Change"
- Set the name your want
- Restart
Then, you can start the installation:
Installation ADDS
- Start the Server Manager
- Click on "Add roles and features"
- Press Next twice
- In Server Roles, select ADDS
- Press Next twice, then Install
- Click on the notification icon with a warning (β οΈ)
- Click on "Promote this server to a domain controller"
Select "Add a new forest" (for your first domain controller/...)
- Give a root domain name (ex:
example.com) - Add a "restore password"
- Press "Next" 4 times
- Press "Install"
- Done
Select "Add a new domain to an existing forest" (to add a subdomain to an existing forest)
- Click on "Select"
- Enter the
domain\usernameof the parent domain. For instance,example.com\administrator. Selectexample.com. - In the "New domain name", you could add
eu. - Process with the setup of
eu.example.com
Installation and configuration of DHCP
One of the first things you may do is configure the DHCP server. When computers connect to Active Directory, they will be assigned an IP. You can define here the rules for assigning IPs. π
- Start the Server Manager
- Click on "Add roles and features"
- Press Next twice
- In Server Roles, select DHCP Server
- Press Next twice, then Install
- Click on tools > DHCP
Configure your DHCP server
- IPV4 > New Scope
- Name: Lan1
- Select a range of addresses
- You can prevent machines from taking some addresses
- Select a lock duration (ex: 1 day)
- We can reserve an IP address for a specific MAC address
- You can see attributed IPs in "Address leases"
β‘οΈ Use ipconfig /all to get the IPv4/MAC address.
Manage users and computers
From the users and computers tool, you can right-click on your domain, then "change domain" to manage a subdomain.
We use Organizational Units (OUs) π to sort the great number of objects within a domain: users, computers, printers, security groups...
They are basically folders. You could have one OU per
- π site: Paris, New York, Montreal...
- π’ business unit: Direction, Marketing, IT...
- ...
π₯ For instance, inside an OU called Paris, you could have OUs for each business unit. You could also do it the other way around.
π Create an OU
- Start the Server Manager
- Go to Tools > Active Directory Users and Computers
- Right-click on your domain
- New > Organizational Unit
- Give it a name
π Delete an OU
- Start the Server Manager
- Go to Tools > Active Directory Users and Computers
- Click on View > Advanced features
- Right-click on your OU
- Go to Properties > Object
- Unselect "Protect object from accidental deletion"
- Apply, then close
- Right-click on your OU, and click on delete
Add a user
- Start the Server Manager
- Go to Tools > Active Directory Users and Computers
- Right-click on your domain
- New > User
- You must at least fill in the "Full name" and the "logon" fields
- Add a password that matches your password policy
Add a workstation
- Start the Workstation
- Go to "Advanced System Settings"
- Switch to the "Computer name" tab
- Click on "Network ID" and follow the steps
β‘οΈ The local computer account that will be created cannot be used by users. The username is PC_NAME_HERE$ and the password is a randomly generated string of 120 characters.
Once the workstation is added to Active Directory, you will be able to connect to any enabled accounts. To connect to a specific domain, use domain\username such as example.com\username.
π You can also use username@domain or the NetBios name instead of the domain giving us "example\username" (set during the ADDS setup).
Add a Local Administrator to a Workstation
It's a good practice to create a local administrator account in case there are issues with Active Directory or the network, and there is a need to access the computer to fix the problem.
- Login using an Administrator account
- Navigate to "Settings" > "Accounts" > "Other users"
- Click on "Add someone else to this PC"
- Select "I don't have this person's sign-in information"
- Select "Add a user without a Microsoft account"
- Once created, click on the newly created user
- Click on "Change account type"
- Select "Administrator"
β‘οΈ If you're not connected to the internet, you can skip 4 and 5.
To log in to a local account, use .\username.
Permissions
We usually don't apply permissions on a user, as it is not scalable. Instead, we create groups or apply permissions to OUs.
A Security Group πͺ is a logical group made to grant or deny access to resources for users that are part of this group. A user can be in multiple groups. There are some built-in ones:
-
Domain Users: every user on the domain -
Authenticated Users: every authenticated user on the domain - ...
You will also create new security groups. We usually create an OU called groups with all security groups inside.
Create a Security Group
- Right-click on the OU "groups"
- New > Group
To add members, either
- Right-click on the group, and select "Add to a group"
- Right-click on an object, select properties, go to "member of", and add your security group
Delegate control
You can delegate the control over an OU to a user, or preferably a group of users. They will be able to do administrative tasks such as:
- π§ create, manage, and delete user accounts
- π reset user passwords (ex: helpdesk)
- ...
This can help reduce the workload of the sysadmins and simply processes for HR/Helpdesk/..., but can induce security risks.
A Group Policy Objects (GPO) π¦ is a policy applied on some objects (computers, users, groups, OUs...). For instance, you may want to deny access to some programs/windows features to some groups of users.
- Start the Server Manager
- Go to Tools > Group Policy Management
- Find the "Group Policy Object" folder
- Right-click on it > New and create a GPO
βοΈ Link a GPO
Linking a GPO means associating the GPO with an object. Simply drag and drop the GPO on
- an OU
- a domain
- ...
And they will be linked. A GPO can be linked to multiple objects. When clicking on the GPO, all the links are shown in "Location". You can delete a link from there.
π― Configure a GPO
After linking the GPO to a target, you may want to filter the scope of the link.
To apply a GPO only to some groups
- Click on a GPO
- In the tab "Scope", in "Security filtering"
- You can remove the group "Authenticated users"
- You can add groups for which the policy will be applied
Apply a GPO to every XXX aside from YYY
For instance, if you want to apply a policy on every group inside the OU "Paris" aside from the IT group, you can either
- β add every group aside from the IT group in Security filtering, but if there is a new group, you may forget to add it
- π apply the policy on every "authenticated users", and exclude the IT group.
To do that,
- Navigate to the "Delegation tab"
- Click on "Advanced"
- Add an object to exclude (ex: IT security group)
- Check "deny" for the line "Apply group policy"
π Edit a GPO
Right-click on a GPO > Edit. There are two main configuration
- π» Computer configuration: applied to every computer in the scope, regardless of the user
- π§ User configuration: apply to every user in the scope, regardless of the computer
You will usually search on Google to find the setting you want. A lot of settings have moved in Windows Server 2022 (it seems), so you may have to look around a bit.
Notes to set up a password policy
- Start the Server Manager
- Go to Tools > Group Policy Management
- Right-click on a GPO > Edit (you could create a GPO and apply it on the whole domain...)
Go to Computer configuration > Policies > Windows Settings > Security Settings > Account Policy.
There, you can enable history, set password length and age (ex: 6 months), enable complexity requirements, lockout...
β‘οΈ Changes are distributed using a network share called SYSVOL (C:\Windows\SYSVOL\sysvol\). It may take time for the changes to be applied, but the update be forced with gpupdate /force.
π When clicking on a GPO, in the tab "Settings", you can find what settings are changed by a policy.
πΈ A computer can define local group policies too. Open a console as administrator, and run gpedit.
Files and folders
Mount a network drive π
A network drive is a drive on the server, that can be accessed from any workstation. For employees, they won't use the local folders such as "My documents", but these drives instead. For sysadmins, it means that they only have to back up these drives.
βοΈ The first thing you may have to do is to create a new hard drive, that will be shared over the network. Let's call it E:.
ποΈ Create a new hard drive
- Start the Server Manager
- Go to Tools > Computer Management > Disk Manager
- Select the drive, right-click on it, and ensure it's marked as online (or right-click on "offline" and set it to online)
- Right-click > Initialize Disk (if there is no unallocated)
- Right-click on "unallocated" and create a new volume. You can leave the name empty.
Once created, you can either share the drive or only a folder.
π Share a drive
β‘οΈ To share the drive, Right-click on it > Properties > Sharing > Advanced Sharing, and enable the sharing. The path that users will use will be shown below "Network Path" (ex: \\\ServerName\DriveName).
β‘οΈ To share a folder (of an online drive), Right-click on it > Properties > Sharing > Share. Add groups such as Domain Users for everyone. The path will be shown below "Network Path" (ex: \\\ServerName\FolderName).
π TL;DR mounted drive/folders will be shown at \\ServerName with the servername the name that you defined before installing ADDS.
π See also the notes for Windows shares.
Auto-mounting π
Instead of writing the path to a folder each time, sysadmins create a fake hard drive, such as F: which will point to a network folder.
You can do it by creating a GPO. For instance, if you shared a drive called Data with a folder Marketing, you may configure a GPO so that employees of the marketing unit have a hard drive M: pointing to it.
Automatically mounting using a GPO π
- Start the Server Manager
- Go to Tools > Group Policy Management
- Create a GPO (and configure it...)
- Right-click on a GPO > Edit
Go to User Configuration > Preferences > Windows Settings > Drive Maps. Here, you can map a drive to a folder, and only apply the rule to a group/...
- Right-click > New > Drive Map
- In Location, add the network path, such as
\\ServerName\Data\Maketing\ - Select a drive letter (ex: M)
You may want to only mount this hard drive for some groups of users, according to how you configured your GPO. You can do that as follows:
- Navigate to the "common" tab
- Select "remove this item when its no longer applied"
- Select "item-level targeting"
- Click on "Targeting"
- Add the security group that will get access to this mapped drive (ex: Marketing)
β‘οΈ For conditions like "one of multiple groups" (ex: Both IT and Marketing), you can right-click on the second item, and in item options, select OR.
User personal folder (home) π‘
A home folder is a folder in which the user can put their personal documents. It should be also auto-mounted, for instance, in U:...
To create home folders, you need a network drive. Inside, you could create an empty folder called HOME.
Define each user home folder
- Go to Tools > Active Directory Users and Computers
- Select every user needing a home folder
- Right-click on one
- Go to profile
- Enter the path
\\ServerName\\SomeFolder\\%username%, for instance,\\SerName\\E\\HOME\\%username%. Note that%username%will be replaced by each user username. - Save and exit
You can go back to the HOME folder, and see a folder for each user.
Permissions on folders
A security principal (doc) π is an entity that can be authenticated and given access to a resource, such as a folder.
- Users, and groups
- Computers
- Services
It's a term that is often used when talking about access control. They all have a unique identifier assigned, called SID (Security Identifier).
To configure permissions for a folder π
- Right-click on a folder (... on a network drive)
- Select properties then Security
- Edit
- Add or remove Security Groups, OUs, or Users.
- You can also define the permissions for each group.
β‘οΈ With scalability in mind, we usually allow access to security groups or OUs, instead of users.
Forest and trusts
A trust πͺ is a relationship between two domains or forests, defining whether each one can access objects of the other.
In a forest, each domain implicitly trusts every other. But, forests are not trusting other forests.
There are several types of trusts:
-
One-way trusts β‘οΈ: given a one-way trust from B to A, B is able to access objects from A, but not the other way around.
-
Two-way trusts π: two one-way trust (from B to A, and from A to B.)
There are other kinds of trusts:
- External trust
- Forest trust
- Shortcut trust
π Trusts are not something that sysadmins will see often. These are mostly used when there are multiple forests, such as in big companies, or when merging/acquiring a company...
Active Directory On Linux
While uncommon, it's possible for Linux clients to be connected to Active Directory. We can use the realm command to dig information:
$ realm list # see also: sssd, winbind
...
permitted-logins: username@xxx.yyy
permitted-groups: XXX
Kerberos tickets are stored in /tmp as ccache files. The current ticket is set by setting the KRB5CCNAME environment variable.
$ export KRB5CCNAME=FILE:/tmp/krb5cc_xxx_yyy
$ export KRB5CCNAME=FILE:/var/lib/sss/db/ccache_XXX.YYY
$ klist # information about the current ticket
$ impacket-ticketConverter xxx yyy.kirbi # from ccache to kirbi
β οΈ We can use someone else's ticket as long as we got rw on it.
Users and scripts can use a keytab file to store Kerberos principals and encrypted keys that can be used to create tickets without having to store the plaintext password. To use it, we need rw on it.
$ find / -name "*keytab*" -readable -writable -ls 2>/dev/null
$ kinit xxx@yyy.zzz -k -t /path/to/xxx.keytab
$ klist # new ticket associated with xxx@yyy.zzz
β οΈ If you find a readable keytab file, you can create tickets. You can also use KeyTabExtract (0.1k β) to dump the hash and crack it.
Random Notes
Windows Server Update Services (WSUS)
The WSUS service is used to manage and deploy updates to Windows workstation within the domain from a centralized server.
- Server: find, and suggest updates. Download them.
- Client: receive the selected downloaded updates, and install them.
Before updating, it's always wiser to prepare properly.
π₯ Microsoft webserver (IIS) is a dependancy, and is automatically installed. This can be an attack vector if not handled.
β‘οΈ Newer alternative: Windows Update for Business (WUfB).
π» To-do π»
Stuff that I found, but never read/used yet.
- Microsoft System Center Configuration Manager (SCCM)
- SConfig (relies on PowerShell to manage ADDS)
- Namespace
-
gpresult /R - Windows Admin Center
- Azure AD (SAML, OAuth, OpenID connect, WS-federation) vs On-premise. Azure AD cloud Sync
- GPO (Priority/Unit order, allow override...)
- no .local, use intranet
- Groups: domain, global, universal | Distribution groups (mailing lists?)
- linux active directory. OpenLDAP/FreeIPA for full-linux. Redhat satellite, Ansible or AWX.
- Distributed File System (DFS)
- locally group shared folders on different servers
- supports fault tolerance and load balancing
- standalone or domain-based
- DFS Replication (DFSR)
- if server unavailable, switch to another
- IPAM
- SSPR
- IIS
- WDS (deploy images)
- rdr-it.com
- microsoft
- activedirectorypro
- Active Directory Federation Services
- Active Directory Backup and Recovery
- Active Directory Auditing