Lab Link: https://tryhackme.com/r/room/winadbasics

This article goes into a walkthrough for the TryHackMe Active Directory Basics room of the Complete Beginner Learning Path.

Task 1: Introduction

In this task, we should launch the Windows server Virtual Machine by clicking on the “Start Machine” button. This will start up a browser-based machine to access the Windows server.

Answer: No answer required

Task 2: Windows Domains

#2.1 In a Windows domain, credentials are stored in a centralised repository called…

Answer: Active Directory

#2.2 The server in charge of running the Active Directory services is called…

Answer: Domain Controller

Task 3: Active Directory

THM Domain Active Directory

#3.1 Which group normally administrates all computers and resources in a domain?

Answer: Domain Admins

#3.2 What would be the name of the machine account associated with a machine named TOM-PC?

Answer: TOM-PC$

#3.3 Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

Answer: Organizational Units

Task 4: Managing Users in AD

In order to delete an organizational unit within Active Directory, we have to enable Advanced Features in the View menu and uncheck the option “Protect object from accidental deletion” in the OU properties settings. By default, OUs are protected against accidental deletion.

Organizational Unit Advanced Features

Delegation is the process of giving specific users control over certain OUs. We can delegate control over an OU by right-clicking the OU and selecting “Delegate Control”. For this example, we can delegate IT control on the Sales OU. This will open a window that will ask for users for our delegation and we can type in Phillip for the person we want to delegate control to.

Delegation Control

Once you click “Ok”, select the “Reset user passwords” option for the delegation task. Now Phillip should be able to reset passwords for any user within the Sales OU.

Delegation Control Tasks

Now we can use Phillip’s credentials to log in via RDP to reset Sophie’s password.

Phillip’s Credentials
Phillip Login via RDP

Since Phillip does not have privileges to open Active Directory Users and Computers, we can use the Set-ADAccountPassword command in Powershell to reset Sophie’s password. Since we also do not want Sophie using the same password we set, we can force a password change at login.

Reset Sophie’s Account Password

When we log in as Sophie via RDP with the new password, we are forced to change the password.

Sophie Login via RDP

Once logged in, we can see there is a text file with the given flag we are looking for.

Flag on Sophie’s Desktop

#4.1 What was the flag found on Sophie’s desktop?

Answer: THM{thanks_for_contacting_support}

#4.2 The process of granting privileges to a user over some OU or other AD Object is called…

Answer: delegation

Task 5: Managing Computers in AD

By default, all machines within a domain are put in a container called “Computers”. We can see that there are some laptops and PCs corresponding to users on our network. We can create two new OUs, one for Workstations and one for Servers. We can move all the laptops and PCs to the Workstations OU and all the servers to the Servers OU.

Active Directory Workstations and Servers

#5.1 After organising the available computers, how many ended up in the Workstations OU?

Answer: 7

#5.2 Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

Answer: yay

Task 6: Group Policies

Windows manages policies for different configurations through Group Policy Objects (GPO). GPOs are simply a collection of settings that can be applied to OUs. To configure GPOs, we can use the Group Policy Management tool.

Group Policy Management Tool

Within each OU, there are different GPOs applied to the users and computers within it. Note that a GPO will apply to the OU it is linked to and any sub-OUs within it. From the Default Domain Policy, we can go to Computer Configurations > Policies > Windows Settings > Security Settings > Account Policies > Password Policy to change the minimum password length to 10 characters.

Group Policy Management Tool — Password Length Policy Setting

The first task we need to do is to restrict control panel access to users across all machines in our network except for the IT department. We will create a new GPO called “Restrict Control Panel Access” and look under “User Configurations” since we want this to affect all users. We can go to User Configuration > Policies > Administrative Tasks > Control Panel and enable the “Prohibit access to Control Panel” setting.

Restrict Control Panel Access GPO

After creating our new GPO, we can assign the GPO to the Management, Marketing, and Sales OU to have it be applied to all the users in the domain except for IT.

Assign Restrict Control Panel Access GPO to OUs

For the second task, we need to have the workstations and servers automatically lock their screens after 5 minutes of user inactivity. We could create a new GPO called “Auto Lock Screen” and apply it to the Workstations, Servers, and Domain Controllers OUs. As a simple alternative, we will apply the GPO to the root domain since they are child OUs of this domain and will be applied to all computers. Within the new GPO, we can go into Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies to change the “Machine Inactivity Limit” to 300 seconds (5 minutes).

Auto Lock Screen GPO

After creating our new GPO, we can assign the GPO to the root domain to be applied to all machines within our network.

Assign Auto Lock Screen GPO to Root Domain

Once the GPOs are applied to the correct OUs, we can log in as any user within the Management, Marketing, or Sales department. We will log in using Mark’s credentials via RDP. If we try opening the control panel we see a restriction message telling us we are denied by the administrator. If we also wait for 5 minutes, we will be logged out automatically.

Mark’s Credentials
Control Panel Operation Denied

#6.1 What is the name of the network share used to distribute GPOs to domain machines?

Answer: SYSVOL

#6.2 Can a GPO be used to apply settings to users and computers? (yay/nay)

Answer: yay

Task 7: Authentication Methods

#7.1 Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)

Answer: nay

#7.2 When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

Answer: Ticket Granting Ticket

#7.3 When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)

Answer: nay

Task 8: Trees, Forests and Trusts

#8.1 What is a group of Windows domains that share the same namespace called?

Answer: Tree

#8.2 What should be configured between two domains for a user in Domain A to access a resource in Domain B?

Answer: A Trust Relationship

Task 9: Conclusion

Congratulations! You have completed the Active Directory Basics room.

Room Completion Banner