> For the complete documentation index, see [llms.txt](https://lanzt.gitbook.io/cheatsheet-pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/commands-to-create-ad-environment.md).
# Commands to create AD environment
## Install AD Dependencies
### Windows Server Datacenter (GUI)
Next and Install.
### Windows Server Standard (CLI)
From here
Install AD DS (Active Directory Domain Services):
```powershell
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
```
Configure a new Forest:
```powershell
Import-Module ADDSDeployment
Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS
```
Verify installation:
```powershell
Get-Service adws,kdc,netlogon,dns
```
## Promote Server to Domain Controller (GUI)
Click on "Promote this server to a domain controller":
Domain name: freed-om-corp.com
Install:
The server has been promoted to a Domain Controller, and the authentication is now based in domain.
## Users
### Configure users, groups, machines...
```
Run from the start menu: Active Directory Users and Computers
```
### Get-ADUser (search users)
```powershell
Get-ADUser -Filter 'Name -like "*Paul*"'
Get-ADUser -Filter "Name -like '*Orion*'" -Properties *
```
```powershell
Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName
Name SamAccountName
---- --------------
Mike Andrews Jectle1984
Mike Rocha Trequievery
Mike Rosa Mans1990
Mike Blackmon Stemodgme01
Joshua Mikels Wifen1938
Mike Goodwin Lovicher
Mike Dukes Imosed
Mike Bynum Barve1947
Mike Pritchard Pludenis
Mike O'Hare mohare
```
{% embed url="" %}
### New-ADUser (add user)
Using the `Active Directory Users and Computers` from the start-menu and inside a folder or using PowerShell commands:
```powershell
New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'}
```
```powershell
Get-ADUser -Identity o.starchaser
```
{% embed url="" %}
### Set-ADUser (update user info)
```powershell
Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto'
```
```powershell
Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *
[...]
DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Andromeda
Name : Andromeda Cepheus
ObjectClass : user
ObjectGUID : 300c377e-db3d-4da4-aabd-7235d69693ff
SamAccountName : a.cepheus
SID : S-1-5-21-3842939050-3880317879-2865463114-7604
Surname : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress :
[...]
mail :
[...]
```
Let's update the Email:
```powershell
Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local'
```
{% embed url="" %}
### Remove-ADUser (remove user)
```powershell
Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName
```
```
Name SamAccountName
---- --------------
Orion Starchaser Orion Starchaser
```
```powershell
Remove-ADUser -Identity 'Orion Starchaser'
```
{% embed url="" %}
### Unlock-ADAccount (unlock user)
```powershell
Get-ADUser -Filter 'Name -like "*Masters*"'
DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Adam
Name : Adam Masters
ObjectClass : user
ObjectGUID : 56d0f2af-e8a0-4d12-a910-c55257c702a2
SamAccountName : amasters
SID : S-1-5-21-3842939050-3880317879-2865463114-6108
Surname : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL
```
```powershell
Unlock-ADAccount -Identity 'amasters'
Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Set-ADUser -ChangePasswordAtLogon $true -Identity amasters
```
{% embed url="" %}
{% embed url="" %}
### Update credentials
```powershell
Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose
```
### Change DoesNotRequirePreAuth Right
This permission is used in Kerberos and is related to ASREP-Roast attack.
**GUI**:
Enable "Do not require Kerberos preauthentication":
**CLI**:
We have a list of valid users:
Does anyone have the DoesNotRequirePreAuth right?
```bash
python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/'
```
Nop.
Let's activate it...
```powershell
Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth
Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true
```
Again, does anyone have the DoesNotRequirePreAuth right?
Yeah, there is one!
## Computers
### Add-Computer (add a computer to a domain)
In the new computer we are going to execute:
```powershell
Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart
```
Or remotely:
```powershell
Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart
```
It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).
{% embed url="" %}
### Move a computer to an OU
```powershell
Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```
### Remove-Computer
```powershell
Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose
```
If doesn't work, do it manually in the local computer:
{% embed url="" %}
{% embed url="" %}
## Group Policy Object (GPO)
### Configure Group Policy Object with GUI
```
Run from the start menu: Group Policy Management
```
### Force any particular computer to sync its GPOs
```powershell
gpupdate /force
```
### Copy-GPO (copy/duplicate a GPO)
```powershell
Get-GPO -All | FT Displayname
```
```powershell
Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control'
```
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
### New-GPLink (link a GPO to an OU)
```powershell
New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
```
```powershell
Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
```
## Organization Unit (OU)
### Get-ADOrganizationUnit (obtain OUs)
```powershell
Get-ADOrganizationalUnit -Filter 'Name -like "*"'
```
```powershell
Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"'
City :
Country :
DistinguishedName : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : HelpDesk
ObjectClass : organizationalUnit
ObjectGUID : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode :
State :
StreetAddress :
```
```powershell
Get-ADOrganizationalUnit -Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
City :
Country :
DistinguishedName : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : HelpDesk
ObjectClass : organizationalUnit
ObjectGUID : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode :
State :
StreetAddress :
```
{% embed url="" %}
### Get members of an OU
```powershell
Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName
[...]
Andromeda Cepheus CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Artemis Callisto CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Orion Starchaser CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
```
{% embed url="" %}
### New-ADOrganizationUnit (create an OU)
```powershell
New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```
{% embed url="" %}
### Remove-ADOrganizationUnit (remove an OU)
```powershell
Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false
```
{% embed url="" %}
{% embed url="" %}
### Move-ADObject (to move an object (user, group, etc) to another OU)
```powershell
Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
```
```powershell
Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
```
{% embed url="" %}
{% embed url="" %}
## Groups
### New-ADGroup (create a security group)
```powershell
New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU"
```
* **Security groups**: Use to assign permissions to shared resources.
* **Distribution groups**: Use to create email distribution lists.
{% embed url="" %}
{% embed url="" %}
### Set-ADGroup (update group info)
```powershell
Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts'
```
{% embed url="" %}
### Get-ADGroupMember (get members of a group)
```powershell
Get-ADGroupMember -Identity 'Security Analysts'
```
{% embed url="" %}
### Add-ADGroupMember (add members to a group)
```powershell
Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus
Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto'
```
{% embed url="" %}
## Shared Folders
### Create a shared folder
**GUI**:
Check "Type a custom path", and create a folder.
* Click on "Customize permissions"
* And set a user with full access (for test) over that folder
Create and we done:
**CLI**:
```powershell
New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez"
```
And checking:
```bash
smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!'
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/commands-to-create-ad-environment.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.