Skip to content

Users and Groups

New Domain Controllers come with default groups and and two default users. you will need to create new users and groups to add to * Administrator * Guest

Users overview There are 4 main types of users in Active Directory there can be more depending on how a company manages permissions of its users * Domain Admins - They control the domains and are the only ones with access to domain controller * Service Accounts (can be domain admins) Ysually never used except for service maintenance, they are required by Windows for services such as SQL to pair a service account * Local Administrators users can make changes to local machines as an administrator and may be able to control other normal users. But cannot access the domain controller * Domain Users are your everyday users. Can log in on machines they have local administrator rights to machines depending on the organization

Groups Overview Groups make it easier to give permissions to users and objects by organizing into groups with specifies permissions. 2 Types * Security Groups are used to specify permissions for a large number of users * Distrbution Groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

Default Security Groups Brief outline of security groups * Domain Controllers all domain controllers in the domain * Domain Guests All domain guests * Domain users All domain users * Domain computers All workstations and servers joined to the domain * Domain Admins Designated administrators of the domain * Enterprise Admins Designated administrators of the enterprise * Schema Admins Designated administrators of the schema * DNS Admins DNS Administrators Group * DNS Update Proxy DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers) * Allowed RODC Password replication Group Members in this group can have their passwords replicated to all read-only domain controllers in the domain * Group Policy Creator Owners Members in this group can modify group policy for the domain * Denied RODC Password Replication Group Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain * Protected Users Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information. * Cert Publishers Members of this group are permitted to publish certificates to the directory * Read-Only Domain Controllers Members of this group are Read-Only Domain Controllers in the domain * Enterprise Read-Only Domain Controllers Members of this group are Read-Only Domain Controllers in the enterprise * Key Admins Members of this group can perform administrative actions on key objects within the domain. * Enterprise Key Admins Members of this group can perform administrative actions on key objects within the forest. * Cloneable Domain Controllers Members of this group that are domain controllers may be cloned. * RAS and IAS Servers Servers in this group can access remote access properties of users