Active Directory

Active Directory Domain Services (AD DS) is the central component of a Windows Domain, serving as a catalog that stores information about all network objects.

AD Objects

Users

Users are security principals, meaning they can be authenticated and assigned privileges. Two types of user objects:

  • People (e.g., employees)

  • Services (e.g., IIS, MSSQL)

Service accounts are limited to only the privileges necessary to run the service.

Machines

Each computer that joins the domain is represented as a machine object. Machines are also security principals. Machine accounts are named like ComputerName$. Machine passwords are automatically rotated and very complex.

Security Groups

Used to assign access rights to multiple users or machines at once. Groups can contain users, machines, or other groups.

Default groups include:

  • Domain Admins: Full domain-wide administrative privileges.

  • Server Operators: Can manage Domain Controllers, but not user/group memberships.

  • Backup Operators: Can access all files for backup purposes.

  • Account Operators: Can create and manage user accounts.

  • Domain Users: All user accounts in the domain.

  • Domain Computers: All computer accounts in the domain.

  • Domain Controllers: All Domain Controllers in the domain.

Active Directory Users and Computers Tool

  • GUI tool used to manage users, groups, and machines.

  • Accessible from the Domain Controller.

  • Displays objects in a hierarchical format using Organizational Units (OUs).

Organizational Units (OUs)

  • Container objects that classify users and computers.

  • Typically mirror business departments (e.g., IT, Marketing).

  • Policies can be applied based on OUs.

  • A user can belong to only one OU at a time.

Default Containers in AD

  • Builtin: System-defined groups available to all Windows hosts.

  • Computers: Default location for new computer accounts.

  • Domain Controllers: Contains all DC accounts.

  • Users: Contains default user and group accounts.

  • Managed Service Accounts: Used by domain services.

Security Groups vs Organizational Units

Aspect
Security Groups
Organizational Units (OUs)

Purpose

Grant permission to resources

Apply policies and configurations

Membership

A user can be in multiple groups

A user can belong to only one OU

Use Case

File/Printer Access Control

Department-based policy enforcement

PreviousBasicsNextThreat Intelligence

Last updated