Internal Network & Active Directory · beginner · ~10 min

AD objects: users, groups, computers, and OUs

Identify the objects you enumerate and the high-value groups.

Overview

AD objects are users, groups, computers, and OUs, each with attributes. Enumeration finds high-value group membership (Domain/Enterprise Admins and 'almost-admin' groups) and risky account flags (SPNs, no pre-auth, password-never-expires) — the map for every later attack.

Why it matters

Almost every AD attack path starts from enumerating objects and their attributes: who's privileged, which accounts are misconfigured, and where credentials leak (e.g. the description field). It's reconnaissance that directly reveals escalation routes.

Core concepts

Object types. Users, groups (transitive nesting), computers, OUs. Crown groups. Domain/Enterprise Admins; almost-admin groups (Backup/Account Operators, DnsAdmins). Risky flags. SPN set, no Kerberos pre-auth, password-never-expires. Leaks. description fields, GPO files.

Lesson

Active Directory stores everything as objects with attributes. Enumerating them is the first move once you can query the directory.

The object types

  • Users — accounts with attributes (username, groups, description (sometimes holds passwords!), servicePrincipalName, last logon, flags like "password never expires").
  • Groups — collections granting rights. Nesting matters: membership is transitive.
  • Computers — every domain-joined machine is an object (with its own account).
  • Organisational Units (OUs) — containers for structure and Group Policy targeting.

High-value groups to hunt

  • Domain Admins / Enterprise Admins — full domain/forest control (the goal).
  • Administrators (on the DC) — equivalent.
  • Account Operators, Backup Operators, DnsAdmins, Server Operators — "almost admin" groups with known escalation tricks.
  • Service accounts — often over-privileged and weakly-passworded.

What enumeration yields

Who is in the powerful groups, which accounts have risky flags (Kerberos pre-auth disabled, SPNs set, "password never expires"), and where credentials might be exposed (the description field, GPO files). This map drives every later attack. Tools query AD over LDAP (next lesson).

Summary

AD is a database of users/groups/computers/OUs; enumerating membership and attributes exposes privileged accounts, misconfigured flags, and leaked credentials — the foundation map for Kerberoasting, spraying, and path-finding.