All About Users
User and Machine Accounts
Local Accounts
Local accounts are stored locally on a particular server or workstation. Local user accounts considered security principals but can only manage access to and secure resouces on a standalone host. There are several default local user accounts that are created on a Windows system:
Administrator- This account has the SIDS-1-5-domain-500and is the first account created with a new Windows installation. It has full control over almost every resource on the system.Guest- This account is disabled by default. The purpose of this account is to allow users without an account on the computer to log in temporarily with limited access rights.SYSTEM- The SYSTEM(orNT AUTHORITY\SYSTEM) account on a Windows host is the default account installed and used by the operating system to perform many of its internal functionas.
A SYSTEM account is the highest permission level on can achieve on a Windows host.
Network Service- This is a predefined local account used by the Service Control Manager (SCM) for running Windows services. When a service runs in the context of this particular account, it will present credentials to remote services.Local Service- This is a predefined local account used by the Service Control Manager (SCM) for running Windows services. It is configured with minimal privileges on the computer and presents anonymous credentials to the network.
Domain Users
Domain users differ from local users in that they are granted rights from the domain to access resources such as file servers, printers, intranet hosts, and other objects based on the permissions granted to their user account or the group that account is a member of.
User Naming Attributes
Few important Naming Attributes in AD:
| Field | Description |
|---|---|
| UserPrincipalName (UPN) | The primary logon name for the user. By convention, the UPN uses the user’s email address. |
| ObjectGUID | A globally unique identifier for the user. The ObjectGUID never changes and remains unique even if the user is deleted or moved. |
| SAMAccountName | A legacy logon name used by older Windows clients and servers. |
| objectSID | The user’s Security Identifier (SID). This identifies the user and determines group memberships during security operations. |
| sIDHistory | Stores previous SIDs for a user object when it’s migrated from another domain. After migration, the old SID is added to sIDHistory, and the new one becomes the active objectSID. |
Common User Attributes
PS C:\htb Get-ADUser -Identity htb-student
DistinguishedName : CN=htb student,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : htb
Name : htb student
ObjectClass : user
ObjectGUID : aa799587-c641-4c23-a2f7-75850b4dd7e3
SamAccountName : htb-student
SID : S-1-5-21-3842939050-3880317879-2865463114-1111
Surname : student
UserPrincipalName : [email protected]Active Directory Groups
Groups are another significant object in Active Directory. They can place similar users together and mass assign rights and access.
Types of Groups
| Group Type | Purpose |
|---|---|
| Security Groups | Used to assign permissions to shared resources (files, folders, printers, etc.) or delegate administrative rights. Security groups can also be used in ACLs. |
| Distribution Groups | Used for email distribution lists. They cannot be assigned permissions — only used for messaging and collaboration (mainly with Exchange). |
Types of Group Scopes
| Group Scope | Can Contain | Can Be Used To Assign Permissions In | Typical Use Case |
|---|---|---|---|
| Domain Local | Users, groups, and computers from any domain | The same domain where the group exists | Assign permissions to resources (like folders or printers) within the same domain. |
| Global | Users, groups, and computers from the same domain | Any domain in the forest or trusted domains | Typically used to group users with similar job functions. |
| Universal | Users, groups, and computers from any domain in the forest | Any domain in the forest | Used to consolidate global groups from multiple domains for forest-wide access control. |
Important Group Attributes
| Attribute | Description |
|---|---|
| cn (Common Name) | The name of the group in Active Directory Domain Services. |
| member | Lists which user, group, and contact objects are members of the group. |
| groupType | An integer that specifies the group’s type and scope. |
| memberOf | Lists any groups that contain this group as a member (nested group membership). |
| objectSid | The security identifier (SID) of the group — a unique value used to identify the group as a security principal. |
Active Directory Rights and Privileges
Built-in AD Groups
AD contains many default or built-in security groups, some of which grant their members powerful rights and privileges which can be abused to escalate privileges within a domain and ultimately gain Domain Admin or SYSTEM privileges on a Domain Controller (DC).
| Group Name | Description (Simplified) |
|---|---|
| Account Operators | Can create and manage most user and group accounts, but not admin ones. |
| Administrators | Full control over the computer or domain. |
| Backup Operators | Can back up and restore files; also access sensitive system data. |
| DnsAdmins | Manage DNS settings and records. |
| Domain Admins | Full control over the entire domain; local admin on all joined machines. |
| Domain Computers | Includes all computers in the domain except DCs. |
| Domain Controllers | Contains all domain controllers. |
| Domain Guests | Includes the built-in Guest account; limited permissions. |
| Domain Users | All user accounts in the domain are part of this group. |
| Enterprise Admins | Full control across the entire forest; can create domains or trusts. |
| Event Log Readers | Can read event logs on domain computers. |
| Group Policy Creator Owners | Can create and manage Group Policy Objects (GPOs). |
| Hyper-V Administrators | Full control of Hyper-V; access to virtual machines. |
| IIS_IUSRS | Used by IIS web services for permissions and access. |
| Pre–Windows 2000 Compatible Access | Legacy group allowing old systems to read AD data; often insecure. |
| Print Operators | Manage printers and printer objects; can log into DCs. |
| Protected Users | Members have extra protection against credential theft. |
| Read-only Domain Controllers | Contains all RODCs in the domain. |
| Remote Desktop Users | Can connect to systems via Remote Desktop (RDP). |
| Remote Management Users | Can remotely manage systems using WinRM. |
| Schema Admins | Can change the AD schema (structure of objects). |
| Server Operators | Can manage services and shares on domain controllers. |
User Rights Assignment
Depending on their current group membership, and other factors such as privileges that administrators can assign via Group Policy (GPO), users can have various rights assigned to their account.
| Privilege | Description |
|---|---|
| SeRemoteInteractiveLogonRight | Allows logging on via Remote Desktop (RDP). Can provide interactive access to a host. |
| SeBackupPrivilege | Lets a user back up and read system files regardless of ACLs (can expose SAM, SYSTEM, NTDS.dit). |
| SeDebugPrivilege | Allows debugging/inspecting any process (can be used to read LSASS and steal credentials). |
| SeImpersonatePrivilege | Lets a process impersonate other tokens (can be abused to escalate to SYSTEM). |
| SeLoadDriverPrivilege | Permits loading/unloading kernel drivers (can be used to run malicious drivers or escalate). |
| SeTakeOwnershipPrivilege | Allows taking ownership of objects/files, bypassing ACLs to gain access. |
Viewing a User’s Privileges
Standard Domain User’s Rights
PS C:\htb> whoami /privDomain Admin Rights Non-Elevated
PS C:\htb> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledDomain Admin Rights Elevated
PS C:\htb> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session DisabledBackup Operator Rights
PS C:\htb> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled