Commands to create AD environment

Install AD Dependencies

Windows Server Datacenter (GUI)

Next and Install.

Windows Server Standard (CLI)

From here https://medium.com/@serkanturan_79203/installing-active-directory-with-powershell-ea48de56088c

Install AD DS (Active Directory Domain Services):

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Configure a new Forest:

Import-Module ADDSDeployment
Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS

Verify installation:

Get-Service adws,kdc,netlogon,dns

Promote Server to Domain Controller (GUI)

Click on "Promote this server to a domain controller":

Domain name: freed-om-corp.com

Install:

The server has been promoted to a Domain Controller, and the authentication is now based in domain.

Users

Configure users, groups, machines...

Run from the start menu: Active Directory Users and Computers

Get-ADUser (search users)

Get-ADUser -Filter 'Name -like "*Paul*"'
Get-ADUser -Filter "Name -like '*Orion*'" -Properties *
Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName

Name           SamAccountName
----           --------------
Mike Andrews   Jectle1984
Mike Rocha     Trequievery
Mike Rosa      Mans1990
Mike Blackmon  Stemodgme01
Joshua Mikels  Wifen1938
Mike Goodwin   Lovicher
Mike Dukes     Imosed
Mike Bynum     Barve1947
Mike Pritchard Pludenis
Mike O'Hare    mohare
LogoGet-ADUser (ActiveDirectory)docsmsft

New-ADUser (add user)

Using the Active Directory Users and Computers from the start-menu and inside a folder or using PowerShell commands:

New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'}
Get-ADUser -Identity o.starchaser
LogoNew-ADUser (ActiveDirectory)MicrosoftLearn

Set-ADUser (update user info)

Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto'
Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Andromeda
Name              : Andromeda Cepheus
ObjectClass       : user
ObjectGUID        : 300c377e-db3d-4da4-aabd-7235d69693ff
SamAccountName    : a.cepheus
SID               : S-1-5-21-3842939050-3880317879-2865463114-7604
Surname           : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress      :
[...]
mail              :
[...]

Let's update the Email:

Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local'
Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
EmailAddress      : a.cepheus@inlanefreight.local
[...]
mail              : a.cepheus@inlanefreight.local
[...]
LogoSet-ADUser (ActiveDirectory)docsmsft

Remove-ADUser (remove user)

Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName
Name             SamAccountName
----             --------------
Orion Starchaser Orion Starchaser
Remove-ADUser -Identity 'Orion Starchaser'
LogoRemove-ADUser (ActiveDirectory)MicrosoftLearn

Unlock-ADAccount (unlock user)

Get-ADUser -Filter 'Name -like "*Masters*"'

DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Adam
Name              : Adam Masters
ObjectClass       : user
ObjectGUID        : 56d0f2af-e8a0-4d12-a910-c55257c702a2
SamAccountName    : amasters
SID               : S-1-5-21-3842939050-3880317879-2865463114-6108
Surname           : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL
Unlock-ADAccount -Identity 'amasters'
Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Set-ADUser -ChangePasswordAtLogon $true -Identity amasters
LogoSearch-ADAccount (ActiveDirectory)MicrosoftLearn
LogoUnlock-ADAccount (ActiveDirectory)MicrosoftLearn

Update credentials

Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose

Change DoesNotRequirePreAuth Right

This permission is used in Kerberos and is related to ASREP-Roast attack.

GUI:

Enable "Do not require Kerberos preauthentication":

CLI:

We have a list of valid users:

Does anyone have the DoesNotRequirePreAuth right?

python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/'

Nop.

Let's activate it...

Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth
Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true

Again, does anyone have the DoesNotRequirePreAuth right?

Yeah, there is one!

Computers

Add-Computer (add a computer to a domain)

In the new computer we are going to execute:

Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart

Or remotely:

Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart

It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).

LogoAdd-Computer (Microsoft.PowerShell.Management) - PowerShellMicrosoftLearn

Move a computer to an OU

Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

Remove-Computer

Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose

If doesn't work, do it manually in the local computer:

LogoRemove-Computer (Microsoft.PowerShell.Management) - PowerShelldocsmsft
LogoRemove computer from domain using powershell - Microsoft Q&AMicrosoftLearn

Group Policy Object (GPO)

Configure Group Policy Object with GUI

Run from the start menu: Group Policy Management

Force any particular computer to sync its GPOs

gpupdate /force

Copy-GPO (copy/duplicate a GPO)

Get-GPO -All | FT Displayname
Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control'
LogoCopy-GPO (GroupPolicy)MicrosoftLearn
LogoNew-GPLink (GroupPolicy)MicrosoftLearn
LogoMass-link GPOs using PowerShellSpiceworks Community

New-GPLink (link a GPO to an OU)

New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes

Organization Unit (OU)

Get-ADOrganizationUnit (obtain OUs)

Get-ADOrganizationalUnit -Filter 'Name -like "*"'
Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :
Get-ADOrganizationalUnit -Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :
LogoGet-ADOrganizationalUnit (ActiveDirectory)MicrosoftLearn

Get members of an OU

Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName

[...]
Andromeda Cepheus  CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Artemis Callisto   CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Orion Starchaser   CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LogoHow to List AD Users from a Specific OUActive Directory Pro

New-ADOrganizationUnit (create an OU)

New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
LogoNew-ADOrganizationalUnit (ActiveDirectory)MicrosoftLearn

Remove-ADOrganizationUnit (remove an OU)

Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false
LogoRemove-ADOrganizationalUnit (ActiveDirectory)MicrosoftLearn
LogoDelete a protected OU using PowerShell

Move-ADObject (to move an object (user, group, etc) to another OU)

Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
LogoHow can I use PowerShell to move a user in AD?Stack Overflow
LogoMove-ADObject (ActiveDirectory)MicrosoftLearn

Groups

New-ADGroup (create a security group)

New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU"

  • Security groups: Use to assign permissions to shared resources.

  • Distribution groups: Use to create email distribution lists.

LogoNew-ADGroup (ActiveDirectory)docsmsft
LogoActive Directory security groupsdocsmsft

Set-ADGroup (update group info)

Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts'
LogoSet-ADGroup (ActiveDirectory)MicrosoftLearn

Get-ADGroupMember (get members of a group)

Get-ADGroupMember -Identity 'Security Analysts'
LogoGet-ADGroupMember (ActiveDirectory)MicrosoftLearn

Add-ADGroupMember (add members to a group)

Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus
Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto'
LogoAdd-ADGroupMember (ActiveDirectory)docsmsft

Shared Folders

Create a shared folder

GUI:

Check "Type a custom path", and create a folder.

  • Click on "Customize permissions"

  • And set a user with full access (for test) over that folder

Create and we done:

CLI:

New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez"

And checking:

smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!'
PreviousActive Directory MethodologyNextAttacks

Last updated