Active Directory Security - Reconnaissance

Huriye Özdemir
4 min readMar 14, 2022

Hi security enthusiasts! I created this article from my active directory study notes. Following this post, I plan to publish a series of articles covering active directory attack types.

Active Directory Basics

Important notes about some components of Active Directory:

Active Directory data store : C:\Windows\NTDS\ntds.dit

Domain Controllers:

  • Every DC hosts NTDS.dit, LDAP, KDC etc.
  • Multiple DCs for redundancy
  • Every DC can write the AD database. (changes are synced)

Forest: One or more domains. These domains can also have child domains.

Organizational Units (OU) : It’s like folders in a file system.

Sites : The purpose of the Site is to create multiple DC machines to reduce traffic and create fault tolerance. If one DC machine is damaged, the others are left in reserve. Each region will have access to the nearest DC and thus the traffic will decrease.

Group Policy:

  • GPs are managed from a central console.
  • GPs turn into registry key on the target computer.
  • There is Group Policy Client that checks the changes on every Windows computer.
  • Sysvol contains GPs (just readable for all domain users) : \\DOMAINNAME\SYSVOL\DOMAINNAME\Policies

Replication: Synchronization of DC machines in different Sites/ a Site. It is implemented with a protocol called RPC over IP.

Active Directory Lab Setup

I used cfalta’s adsec repository to setup my active directory domain on premise ( on my own laptop)

Many thanks to cfalta for this impressive repository:

Repository :

Lab Setup Guide :

After the installation, you should have the following virtual machines:

Then complete the following steps mentioned in the guide:

2. Prepare domain

3. Prepare member server

4. Prepare attacker vm

If you are ready, let’s start with the first exercise!




Get-Domain : General information about the domain.

Get-DomainController : General information about the domain controller.

Other commands to get some specific information from the domain.

Get-DomainComputer | select samaccountname, dnshostname, whencreated | Format-Table

Get-DomainUser | ? {$_.memberof -like "*Domain Admins*"}

Get-DomainUser | ? {$_.memberof -like "*Domain Admins*"} | select samaccountname

Get-DomainGroup | ? { $_.distinguishedname -notlike “*CN=Users*” -and $_.distinguishedname -notlike “*CN=Builtin*”} | select samaccountname,description

Reconnaissance Exercices

How many computers are in the domain and what OS are they running on?

2 — Windows

How many user objects are in the domain? Write a powershell query to list all user in table form showing only the attributes samaccountname, displayname, description and last password change.

Get-DomainUser | select samaccountname, distinguishedname, description, pwdlastset | Format-Table

Can you identify any custom admin groups? Change the powershell query above in a generic way so it only returns custom admin groups.

Helpdesk Admins

Get-DomainGroup | ? {$_.memberof -like “*Domain Admins*”} | select samaccountname,description

Who is a member of the custom admin group you found and when was his password last set?

bwillis — 12/23/2021

Get-DomainUser | ? {$_.memberof -like “Helpdesk Admins”} | select pwdlastset | Format-Table

Think of simple ways to identify service accounts in the domain? Write a powershell query that lists all service accounts based on the pattern you came up with.

Get-DomainUser | ? {$_.distinguishedname -like “ServiceAccounts”}



Huriye Özdemir

Senior Cybersecurity Consultant | Artist — Instagram: @art.lady.bug