This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

AD Objects

User Objects

User accounts represent people who need access to network resources.

User Account Types:

Regular User Accounts:

  • Standard employee accounts for daily work

  • Limited privileges by default

  • Subject to password policies and restrictions

Administrative Accounts:

  • Elevated privileges for system management

  • Should be separate from regular user accounts

  • Require enhanced security measures

Service Accounts:

  • Used by applications and services for authentication

  • Often have "logon as a service" rights

  • May have elevated privileges for specific functions

System Accounts:

  • Built-in accounts like SYSTEM and LOCAL SERVICE

  • Used by Windows components and services

  • Cannot be deleted or significantly modified

Key User Attributes:

  • sAMAccountName: Pre-Windows 2000 logon name

  • userPrincipalName: Modern logon name (email format)

  • distinguishedName: Complete LDAP path to the object

  • objectSID: Unique security identifier

  • memberOf: Groups the user belongs to

  • lastLogon: Last successful authentication time

Computer Objects

Computer accounts represent domain-joined machines and enable them to participate in domain authentication and receive Group Policy.

Computer Account Functions:

  • Machine Authentication: Computers authenticate to domain using machine account

  • Secure Channel: Maintains encrypted communication with domain controllers

  • Group Policy Reception: Computers receive and apply computer policies

  • Resource Access: Machine accounts can access domain resources

Computer Account Security:

  • Passwords change automatically every 30 days

  • Computer accounts can be members of security groups

  • Local admins on computer can extract computer account credentials

Group Objects

Groups enable efficient permission management by allowing assignment of permissions to collections of users.

Group Types:

  • Security Groups:

    • Used for permission assignment and access control

    • Can contain users, computers, and other groups

    • Appear in access control lists (ACLs)

  • Distribution Groups:

    • Used for email distribution lists

    • No security functions

    • Cannot be assigned permissions

Group Scopes:

  • Domain Local Groups:

    • Membership: Can contain principals from any domain in the forest

    • Usage: Can only be assigned permissions within the local domain

    • Purpose: Assign permissions to domain resources

  • Global Groups:

    • Membership: Can only contain principals from the same domain

    • Usage: Can be assigned permissions anywhere in the forest

    • Purpose: Organize users by role or department

  • Universal Groups:

    • Membership: Can contain principals from any domain in the forest

    • Usage: Can be assigned permissions anywhere in the forest

    • Purpose: Cross-domain group membership (requires Global Catalog)

Built-in Administrative Groups:

  • Domain Admins:

    • Complete administrative control over the domain

    • Members automatically added to local Administrators group on all domain computers

    • Highest level of domain privileges

  • Enterprise Admins:

    • Forest-wide administrative privileges

    • Can modify forest-level configuration

    • Only exists in forest root domain

  • Schema Admins:

    • Can modify Active Directory schema

    • Extremely powerful permissions

    • Should have minimal membership

Service Principal Names (SPNs)

SPNs uniquely identify service instances for Kerberos authentication:

  • Format: service/hostname:port

  • Examples: HTTP/webserver.company.com, MSSQLSvc/dbserver.company.com:1433

  • Required for Kerberos authentication to services

  • Can be automatically or manually registered

PreviousForests, Domains, and Organizational UnitsNextAuthentication and Authorization

Last updated

Was this helpful?