All About Users


User and Machine Accounts

Local Accounts

Local accounts are stored locally on a particular server or workstation. Local user accounts considered security principals but can only manage access to and secure resouces on a standalone host. There are several default local user accounts that are created on a Windows system:

  • Administrator - This account has the SID S-1-5-domain-500 and is the first account created with a new Windows installation. It has full control over almost every resource on the system.

  • Guest - This account is disabled by default. The purpose of this account is to allow users without an account on the computer to log in temporarily with limited access rights.

  • SYSTEM - The SYSTEM(or NT AUTHORITY\SYSTEM) account on a Windows host is the default account installed and used by the operating system to perform many of its internal functionas.

A SYSTEM account is the highest permission level on can achieve on a Windows host.

  • Network Service - This is a predefined local account used by the Service Control Manager (SCM) for running Windows services. When a service runs in the context of this particular account, it will present credentials to remote services.

  • Local Service - This is a predefined local account used by the Service Control Manager (SCM) for running Windows services. It is configured with minimal privileges on the computer and presents anonymous credentials to the network.

Domain Users

Domain users differ from local users in that they are granted rights from the domain to access resources such as file servers, printers, intranet hosts, and other objects based on the permissions granted to their user account or the group that account is a member of.

User Naming Attributes

Few important Naming Attributes in AD:

FieldDescription
UserPrincipalName (UPN)The primary logon name for the user. By convention, the UPN uses the user’s email address.
ObjectGUIDA globally unique identifier for the user. The ObjectGUID never changes and remains unique even if the user is deleted or moved.
SAMAccountNameA legacy logon name used by older Windows clients and servers.
objectSIDThe user’s Security Identifier (SID). This identifies the user and determines group memberships during security operations.
sIDHistoryStores previous SIDs for a user object when it’s migrated from another domain. After migration, the old SID is added to sIDHistory, and the new one becomes the active objectSID.

Common User Attributes

PS C:\htb Get-ADUser -Identity htb-student

DistinguishedName : CN=htb student,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : htb
Name              : htb student
ObjectClass       : user
ObjectGUID        : aa799587-c641-4c23-a2f7-75850b4dd7e3
SamAccountName    : htb-student
SID               : S-1-5-21-3842939050-3880317879-2865463114-1111
Surname           : student
UserPrincipalName : [email protected]

Active Directory Groups

Groups are another significant object in Active Directory. They can place similar users together and mass assign rights and access.

Types of Groups

Group TypePurpose
Security GroupsUsed to assign permissions to shared resources (files, folders, printers, etc.) or delegate administrative rights. Security groups can also be used in ACLs.
Distribution GroupsUsed for email distribution lists. They cannot be assigned permissions — only used for messaging and collaboration (mainly with Exchange).

Types of Group Scopes

Group ScopeCan ContainCan Be Used To Assign Permissions InTypical Use Case
Domain LocalUsers, groups, and computers from any domainThe same domain where the group existsAssign permissions to resources (like folders or printers) within the same domain.
GlobalUsers, groups, and computers from the same domainAny domain in the forest or trusted domainsTypically used to group users with similar job functions.
UniversalUsers, groups, and computers from any domain in the forestAny domain in the forestUsed to consolidate global groups from multiple domains for forest-wide access control.

Important Group Attributes

AttributeDescription
cn (Common Name)The name of the group in Active Directory Domain Services.
memberLists which user, group, and contact objects are members of the group.
groupTypeAn integer that specifies the group’s type and scope.
memberOfLists any groups that contain this group as a member (nested group membership).
objectSidThe security identifier (SID) of the group — a unique value used to identify the group as a security principal.

Active Directory Rights and Privileges

Built-in AD Groups

AD contains many default or built-in security groups, some of which grant their members powerful rights and privileges which can be abused to escalate privileges within a domain and ultimately gain Domain Admin or SYSTEM privileges on a Domain Controller (DC).

Group NameDescription (Simplified)
Account OperatorsCan create and manage most user and group accounts, but not admin ones.
AdministratorsFull control over the computer or domain.
Backup OperatorsCan back up and restore files; also access sensitive system data.
DnsAdminsManage DNS settings and records.
Domain AdminsFull control over the entire domain; local admin on all joined machines.
Domain ComputersIncludes all computers in the domain except DCs.
Domain ControllersContains all domain controllers.
Domain GuestsIncludes the built-in Guest account; limited permissions.
Domain UsersAll user accounts in the domain are part of this group.
Enterprise AdminsFull control across the entire forest; can create domains or trusts.
Event Log ReadersCan read event logs on domain computers.
Group Policy Creator OwnersCan create and manage Group Policy Objects (GPOs).
Hyper-V AdministratorsFull control of Hyper-V; access to virtual machines.
IIS_IUSRSUsed by IIS web services for permissions and access.
Pre–Windows 2000 Compatible AccessLegacy group allowing old systems to read AD data; often insecure.
Print OperatorsManage printers and printer objects; can log into DCs.
Protected UsersMembers have extra protection against credential theft.
Read-only Domain ControllersContains all RODCs in the domain.
Remote Desktop UsersCan connect to systems via Remote Desktop (RDP).
Remote Management UsersCan remotely manage systems using WinRM.
Schema AdminsCan change the AD schema (structure of objects).
Server OperatorsCan manage services and shares on domain controllers.

User Rights Assignment

Depending on their current group membership, and other factors such as privileges that administrators can assign via Group Policy (GPO), users can have various rights assigned to their account.

PrivilegeDescription
SeRemoteInteractiveLogonRightAllows logging on via Remote Desktop (RDP). Can provide interactive access to a host.
SeBackupPrivilegeLets a user back up and read system files regardless of ACLs (can expose SAM, SYSTEM, NTDS.dit).
SeDebugPrivilegeAllows debugging/inspecting any process (can be used to read LSASS and steal credentials).
SeImpersonatePrivilegeLets a process impersonate other tokens (can be abused to escalate to SYSTEM).
SeLoadDriverPrivilegePermits loading/unloading kernel drivers (can be used to run malicious drivers or escalate).
SeTakeOwnershipPrivilegeAllows taking ownership of objects/files, bypassing ACLs to gain access.

Viewing a User’s Privileges

Standard Domain User’s Rights

PS C:\htb> whoami /priv

Domain Admin Rights Non-Elevated

PS C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Domain Admin Rights Elevated

PS C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

Backup Operator Rights

PS C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled