> For the complete documentation index, see [llms.txt](https://lanzt.gitbook.io/cheatsheet-pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/commands-to-create-ad-environment.md).

# Commands to create AD environment

## Install AD Dependencies

### Windows Server Datacenter (GUI)

<figure><img src="/files/9d6zOfBdsKrKpJb4tDff" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/X8CKCbSCudIbFtAO4Imt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sl8lnLT2SOFcOFU68BEU" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ihdADkIzWqiPbnDu1Woc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/gWVtAW6azN0B7LFiiV0T" alt=""><figcaption></figcaption></figure>

Next and Install.

### Windows Server Standard (CLI)

From here <https://medium.com/@serkanturan_79203/installing-active-directory-with-powershell-ea48de56088c>

Install AD DS (Active Directory Domain Services):

```powershell
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
```

Configure a new Forest:

```powershell
Import-Module ADDSDeployment
Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS
```

Verify installation:

```powershell
Get-Service adws,kdc,netlogon,dns
```

## Promote Server to Domain Controller (GUI)

<figure><img src="/files/MGxLkVXkEwHRDzDqqcTS" alt=""><figcaption></figcaption></figure>

Click on "Promote this server to a domain controller":

<figure><img src="/files/vUO1WerkzOgRnfmV4ytn" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/OrboAwcaqX7oKRpBaOnJ" alt=""><figcaption><p>Domain name: freed-om-corp.com</p></figcaption></figure>

<figure><img src="/files/miOegloEkVSgDOR8ACTb" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cuuwnkri5wHxvmMnjBoA" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sskYbYcQvEym8A7d4y5k" alt=""><figcaption></figcaption></figure>

Install:

<figure><img src="/files/E7jlSfYTWMLealh0nEP1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/GpsRKAa5ZZtiLtjhXrbp" alt=""><figcaption></figcaption></figure>

The server has been promoted to a Domain Controller, and the authentication is now based in domain.

## Users

### Configure users, groups, machines...

```
Run from the start menu: Active Directory Users and Computers
```

### Get-ADUser (search users)

```powershell
Get-ADUser -Filter 'Name -like "*Paul*"'
Get-ADUser -Filter "Name -like '*Orion*'" -Properties *
```

```powershell
Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName

Name           SamAccountName
----           --------------
Mike Andrews   Jectle1984
Mike Rocha     Trequievery
Mike Rosa      Mans1990
Mike Blackmon  Stemodgme01
Joshua Mikels  Wifen1938
Mike Goodwin   Lovicher
Mike Dukes     Imosed
Mike Bynum     Barve1947
Mike Pritchard Pludenis
Mike O'Hare    mohare
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2022-ps>" %}

### New-ADUser (add user)

Using the `Active Directory Users and Computers` from the start-menu and inside a folder or using PowerShell commands:

```powershell
New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'}
```

```powershell
Get-ADUser -Identity o.starchaser
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-aduser?view=windowsserver2022-ps>" %}

### Set-ADUser (update user info)

```powershell
Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto'
```

```powershell
Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Andromeda
Name              : Andromeda Cepheus
ObjectClass       : user
ObjectGUID        : 300c377e-db3d-4da4-aabd-7235d69693ff
SamAccountName    : a.cepheus
SID               : S-1-5-21-3842939050-3880317879-2865463114-7604
Surname           : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress      :
[...]
mail              :
[...]
```

Let's update the Email:

```powershell
Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local'
```

<pre class="language-powershell"><code class="lang-powershell"><strong>Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *
</strong>
[...]
EmailAddress      : a.cepheus@inlanefreight.local
[...]
mail              : a.cepheus@inlanefreight.local
[...]
</code></pre>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-aduser?view=windowsserver2022-ps>" %}

### Remove-ADUser (remove user)

```powershell
Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName
```

```
Name             SamAccountName
----             --------------
Orion Starchaser Orion Starchaser
```

```powershell
Remove-ADUser -Identity 'Orion Starchaser'
```

<figure><img src="/files/Q6el7pKrOm0AsfkyQMXA" alt=""><figcaption></figcaption></figure>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/remove-aduser?view=windowsserver2022-ps>" %}

### Unlock-ADAccount (unlock user)

```powershell
Get-ADUser -Filter 'Name -like "*Masters*"'

DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Adam
Name              : Adam Masters
ObjectClass       : user
ObjectGUID        : 56d0f2af-e8a0-4d12-a910-c55257c702a2
SamAccountName    : amasters
SID               : S-1-5-21-3842939050-3880317879-2865463114-6108
Surname           : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL
```

```powershell
Unlock-ADAccount -Identity 'amasters'
Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Set-ADUser -ChangePasswordAtLogon $true -Identity amasters
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/search-adaccount?view=windowsserver2022-ps>" %}

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/unlock-adaccount?view=windowsserver2022-ps>" %}

### Update credentials

```powershell
Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose
```

### Change DoesNotRequirePreAuth Right

This permission is used in Kerberos and is related to ASREP-Roast attack.

**GUI**:

Enable "Do not require Kerberos preauthentication":

<figure><img src="/files/xjJU8EohCsmEV5KGcWT7" alt=""><figcaption></figcaption></figure>

**CLI**:

We have a list of valid users:

<figure><img src="/files/ILUaHe38QQOvmWKXp3MW" alt=""><figcaption></figcaption></figure>

Does anyone have the DoesNotRequirePreAuth right?

```bash
python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/'
```

<figure><img src="/files/yH8ljaK5rkx55N13N3OH" alt=""><figcaption></figcaption></figure>

Nop.

Let's activate it...

```powershell
Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth
Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true
```

<figure><img src="/files/62sITiRmviC1mXZQHBMV" alt=""><figcaption></figcaption></figure>

Again, does anyone have the DoesNotRequirePreAuth right?

<figure><img src="/files/YCDDbVbbwobGOEphSkTm" alt=""><figcaption></figcaption></figure>

Yeah, there is one!

## Computers

### Add-Computer (add a computer to a domain)

In the new computer we are going to execute:

```powershell
Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart
```

Or remotely:

```powershell
Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart
```

It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).

<figure><img src="/files/85asGoM3i02z4TnN00oH" alt=""><figcaption></figcaption></figure>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/add-computer?view=powershell-5.1>" %}

### Move a computer to an OU

```powershell
Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```

### Remove-Computer

```powershell
Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose
```

If doesn't work, do it manually in the local computer:

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-computer?view=powershell-5.1>" %}

{% embed url="<https://learn.microsoft.com/en-us/answers/questions/1387592/remove-computer-from-domain-using-powershell>" %}

## Group Policy Object (GPO)

### Configure Group Policy Object with GUI

```
Run from the start menu: Group Policy Management
```

### Force any particular computer to sync its GPOs

```powershell
gpupdate /force
```

### Copy-GPO (copy/duplicate a GPO)

```powershell
Get-GPO -All | FT Displayname
```

```powershell
Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control'
```

<figure><img src="/files/Ov7rlfCMHUVWz13DRROd" alt=""><figcaption></figcaption></figure>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/grouppolicy/copy-gpo?view=windowsserver2022-ps>" %}

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink?view=windowsserver2022-ps>" %}

{% embed url="<https://community.spiceworks.com/t/mass-link-gpos-using-powershell/1012467>" %}

### New-GPLink (link a GPO to an OU)

```powershell
New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
```

```powershell
Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
```

<figure><img src="/files/01YPc3DWiC0Oje5KoGdn" alt=""><figcaption></figcaption></figure>

## Organization Unit (OU)

### Get-ADOrganizationUnit (obtain OUs)

```powershell
Get-ADOrganizationalUnit -Filter 'Name -like "*"'
```

```powershell
Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :
```

```powershell
Get-ADOrganizationalUnit -Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adorganizationalunit?view=windowsserver2022-ps>" %}

### Get members of an OU

```powershell
Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName

[...]
Andromeda Cepheus  CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Artemis Callisto   CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Orion Starchaser   CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
```

{% embed url="<https://activedirectorypro.com/how-to-list-ad-users-from-a-specific-ou/>" %}

### New-ADOrganizationUnit (create an OU)

```powershell
New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```

<figure><img src="/files/WEMgbQSpgGNNzA1gRyE7" alt=""><figcaption></figcaption></figure>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adorganizationalunit?view=windowsserver2022-ps>" %}

### Remove-ADOrganizationUnit (remove an OU)

```powershell
Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/remove-adorganizationalunit?view=windowsserver2022-ps>" %}

{% embed url="<https://www.itprotoday.com/powershell/delete-a-protected-ou-using-powershell>" %}

### Move-ADObject (to move an object (user, group, etc) to another OU)

```powershell
Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
```

```powershell
Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```

{% embed url="<https://stackoverflow.com/questions/12712852/how-can-i-use-powershell-to-move-a-user-in-ad>" %}

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-adobject?view=windowsserver2022-ps>" %}

## Groups

### New-ADGroup (create a security group)

```powershell
New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU"
```

* **Security groups**: Use to assign permissions to shared resources.
* **Distribution groups**: Use to create email distribution lists.

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps>" %}

{% embed url="<https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups>" %}

### Set-ADGroup (update group info)

```powershell
Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts'
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adgroup?view=windowsserver2022-ps>" %}

### Get-ADGroupMember (get members of a group)

```powershell
Get-ADGroupMember -Identity 'Security Analysts'
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adgroupmember?view=windowsserver2022-ps>" %}

### Add-ADGroupMember (add members to a group)

```powershell
Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus
Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto'
```

<figure><img src="/files/TfgsSvusAbrhmhoy51KS" alt=""><figcaption></figcaption></figure>

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/activedirectory/add-adgroupmember?view=windowsserver2022-ps>" %}

## Shared Folders

### Create a shared folder

**GUI**:

<figure><img src="/files/cM9Zq2ciQFZ8FbU9zsyB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/f3BNJjSVPPYWHOLUfXv0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zrt8rX5O7h2pkZIYPv6J" alt=""><figcaption></figcaption></figure>

Check "Type a custom path", and create a folder.

<figure><img src="/files/2DaFJ8IyvPjMlkALhznN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rrYfUy5ZNODWoR9gNgHK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/QFDMlH3J3ATpel6qgK9n" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/irAvIeq2VLN6pp8ftM4h" alt=""><figcaption></figcaption></figure>

* Click on "Customize permissions"
* And set a user  with full access (for test) over that folder

<figure><img src="/files/LR6LReIfkrjEOvzWYaJ9" alt=""><figcaption></figcaption></figure>

Create and we done:

<figure><img src="/files/RHYkJmgUNjSKx1lq5lVT" alt=""><figcaption></figcaption></figure>

**CLI**:

```powershell
New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez"
```

<figure><img src="/files/qLOnm1AHbiNFgXdtutcm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LMEMSjQWCgjdYyPqeUsT" alt=""><figcaption></figcaption></figure>

And checking:

```bash
smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!'
```

<figure><img src="/files/GcbrPCENiqQ6iF5ZEUvu" alt=""><figcaption></figcaption></figure>
