Basic knowledge of intranet domain penetration

Basic knowledge of intranet domain penetration

1.Introduction to the intranet

​ Intranet is a local area network (LAN) refers to a computer group composed of multiple computers interconnected in a certain area. Generally within a radius of several kilometers. LAN can realize functions such as file management, application software sharing, printer sharing, scheduling within work groups, email and fax communication services, etc. A local area network is closed and can consist of two computers in an office or thousands of computers in a company. For example, for machines in the intranet, enter ipconfig /all and find that our IP is 192.168..., machine No. 1 on the intranet is 192.168.0.1, machine No. 2 is 192.168.0.2, and so on, but we enter the IP in the browser .cn found that they are all the same IP

2. Working group

​ This is a concept in LAN. When there are too many hosts in our LAN, or we need to functionally classify users, You need to use workgroups. It is equivalent to classifying our files into different folders, one for study and one for work. We canright-click the properties of this computer and find that we can directly see the workgroup we are in, and we can make settings changes on the right side. The workgroup's credentials are all stored locally.

3.Domain

Domain is called DOMAIN in English - Domain is an independently operating unit in Windows network. Mutual access between domains requires the establishment of a trust relationship (i.e. Trust Relation). Trust relationship is the bridge between domains. When a domain establishes a trust relationship with other domains, the two domains can not only manage each other as needed, but also allocate equipment resources such as files and printers across the network, allowing different domains to share and manage network resources. , as well as mutual communication and data transmission.

The domain is not only the logical organizational unit of the Windows network operating system, but also the logical organizational unit of the Internet. In the Windows network operating system, the domain is the security boundary. A domain administrator can only manage the interior of the domain. Unless other domains explicitly grant him administrative rights, he can access or manage other domains. Each domain has its own security policy and its security trust with other domains. relation.

You can understand by linking domains and workgroups. In the workgroup, all your settings, including various policies, are done on the local machine. User login is also done on the local machine. , the password is placed in the local database for verification. And if your computer joins a domain, various policies are set uniformly by the domain controller, and the user name and password are also sent to the domain controller for verification, which means that your account and password can be logged in on any computer in the same domain. When logging in to the domain, authentication is performed on the domain controller using the Kerberos protocol, and NTLM authentication is performed through SAM when logging in to this computer

4. Domain Controller (DC)

In the "domain" mode, there is at least one server responsible for the verification of each computer and user connected to the network. It is equivalent to the guard of a unit and is called the "Domain Controller (abbreviation). for DC)". The domain controller contains a database composed of the domain's accounts, passwords, computers belonging to this domain and other information. Whena computer is connected to the network, the domain controller must first identify whether the computer belongs to this domain, whether the login account used by the user exists, and whether the password is correct. If any of the above information is incorrect, the domain controller will deny the user login from this computer. Without being able to log in, the user cannot access permission-protected resources on the server. He can only access resources shared by Windows as a peer-to-peer network user, which protects network resources to a certain extent.

Domain controller is where Active Directory is stored, which means that Active Directory is stored on the domain controller. The computer on which Active Directory is installed is called a domain controller. In fact, when you install Active Directory for the first time, the computer on which you install Active Directory becomes a domain controller. A domain can have one or more domain controllers. The most classic approach is to create a primary and secondary domain controller

5. Classification of domains

• single domain
• parent domain, child domain
• domain tree
• Domain forest (forest)
• DNS domain name server

1. Single domain
In ordinary small companies with fixed geographical locations, establishing a domain can meet the needs.
Generally, at least two domain servers must be established in a domain, one as a DC and the other as a backup DC. If there is no second backup DC, once the DC is paralyzed, other users in the domain will not be able to log in to the domain, because the Active Directory database (including user account information) is stored in the DC. If there is a backup domain controller (BDC), at least the domain can still be used normally. During this period, the paralyzed DC can be restored.

2. Parent domain
For management and other needs, multiple domains need to be divided into the network. The first domain is called the parent domain, and the domain names of each branch are called A subdomain of this domain

If branches in different geographical locations are placed in the same domain, the information exchange between them (including synchronization, replication, etc.) will take a long time and occupy a relatively large bandwidth. (Because within the same domain, there are many items for information exchange and they are not compressed; while between domains, there are relatively few items for information exchange and they are compressed.

Another benefit is that subsidiaries can manage their own resources through their own domains.

Another situation is due to security policy considerations, because each domain has its own unique security policy. For example, if a company's financial department wants to use a specific security policy (including account and password policies, etc.), the financial department can be made into a subdomain for separate management.

3. Domain tree
Domain tree refers to a collection of several domains formed by establishing trust relationships. A domain administrator can only manage the interior of this domain and cannot access or manage other domains. Mutual access between two domains requires the establishment of a trust relationship (Trust Relation).

Trust relationship is the bridge between domains. The parent domain and subdomains in the domain tree can not only manage each other as needed, but also allocate equipment resources such as files and printers across the network, so that different domains can share and manage network resources, and communicate with each other and data. transmission.

In a domain tree, the parent domain can contain many subdomains. The subdomains are relative to the parent domain and refer to each segment in the domain name. Subdomains can only use the parent domain as the suffix of the domain name, which means that in
a domain tree, the domain names are consecutive

4. Domain forest
Domain forest refers to a collection of several domain trees formed by establishing trust relationships. Resources in the entire forest can be managed and used through the trust relationship established between domain trees, thereby maintaining the original characteristics of the original domain itself.

5.DNS Domain Name Server (Domain Name Server)
DNS Domain Name Server is a server that converts domain name (domain name) and its corresponding IP address (IPaddress).

In the introduction of the domain tree, you can see that the name of the domain in the domain tree is very similar to the name of the DNS domain. In fact, the name of the domain is the name of the DNS domain, because the computers in the domain use DNS to locate domain controllers and servers. and other computer, network services, etc.

Under normal circumstances, when we penetrate the intranet, we locate the domain controller by looking for the DNS server, because usually the DNS server and the domain controller will be on the same machine.

6. Active Directory (AD)

Active Directory is referred to as AD. It is based on DNS and stores information about network objects (such as users, user groups, computers, domains, security policies, etc.) within a domain in a tree structure, which contains password hash values ​​of all domain user and computer accounts. It provides basic network services (DNS/DHCP, etc.), computer management, user services, resource management, desktop configuration, application system support and other functions.

Active Directory is a centralized directory management service (Directory Services) in Microsoft Windows Server that is responsible for building medium and large network environments. Directory services were introduced on the Microsoft platform from Windows Server 2000, so we can understand that Active Directory is an implementation method of directory services on the Microsoft platform. Of course, directory services have corresponding implementations on non-Microsoft platforms.

The biggest difference between the domain environment of Windows Server 2003 and the workgroup environment is that all computers in the domain share a centralized directory database (also known as the Active Directory database), which contains objects in the entire domain (user accounts, computer accounts, printers , shared files, etc.) and security information, etc., and Active Directory is responsible for the addition, modification, update and deletion of the directory database. So we want to implement a domain environment on Windows Server 2003, which actually means installing Active Directory. Active Directory implements directory services for us and provides centralized management of the enterprise network environment. For example, in a domain environment, you only need to create Bob's account once in Active Directory, then you can log in to Bob on any one of 200 computers. If you want to change the password for Bob's account, you only need to change it once in Active Directory. OK, that is to say, domain user information is stored in Active Directory.

ntds.dit is a database file in AD. It is saved in the location of c:\windows\system32\ntds\ntds.dit on the domain controller.

Main features of Active Directory

• Accounts are centrally managed, and all accounts are stored on the server, making it easy to re-order/reset passwords for accounts.
• Centralized management of software, unified push of software, unified installation of network printers, etc. Distributing software using software release strategies allows users to freely choose to install software.
• The environment is centrally managed, and AD can be used to unify client desktop, IE, TCP/IP and other settings.
• Enhance security, uniformly deploy anti-virus software and anti-virus tasks, centrally manage users' computer permissions, uniformly formulate user password policies, etc., monitor the network, and manage data in a unified manner.
• More reliable, less downtime. For example: use AD to control user access rights, and use clustering, load balancing and other technologies to set up disaster recovery for file servers, which is more reliable and reduces downtime.
• Active Directory is the basic platform for unified management by Microsoft. Other isa, exchange, SMS and other services
  all rely on this basic platform

7.The difference between AD and DC

If the network scale is large, we will consider placing the many objects in the network: computers, users, user groups, printers, shared files, etc., into one category and in an orderly manner
in the large warehouse, and do a good job of retrieving information to facilitate the search, management and use of these objects (resources). This hierarchically structured database is the Active Directory database, or AD database for short.

So which computer should we put this database on? The rule is this, we call the computer where the Active Directory database is stored a DC. So if we want to implement a domain environment, we actually need to install AD. When a computer in the intranet installs AD, it becomes a DC.

8.Logical structure

In Active Directory, administrators can completely ignore the specific geographical location of managed objects and place these objects in different containers in a certain way. Because this method of organizing objects does not take into account the specific geographical location of the managed objects, this organizational framework is called a "logical structure."

The logical structure of Active Directory includes organizational unit (OU), domain (domain), domain tree (tree), and domain forest (forest). All domains in the domain tree share an active directory. The data in this active directory is distributed in each domain, and each domain only stores the data in that domain.

An organizational unit (OU) is a container that can contain objects (user accounts, computer accounts, etc.) and other organizational units (OU).

A domain is a logical grouping, or to be precise, an environment. A domain is the minimum boundary of security. A domain environment can centrally and uniformly manage resources on the network. To achieve a domain environment, you must install Active Directory on your computer. A domain tree is a set of domains with a contiguous namespace.

9.Security domain division

The purpose of security domain division is to put a group of computers with the same security level into the same network segment. The computers in this network segment have the same network boundary. Firewall deployment is used on the network boundary to implement NACL for other security domains. (Network access control policy), which IPs are allowed to access this domain and which are not allowed to access this domain; which IPs/network segments are allowed to access this domain and which IPs/network segments are not allowed to access. This minimizes the risk, and when an attack occurs, the threat can be maximized and isolated, reducing the impact on computers in the domain.

10.DMZ

DMZ is called the "Exclusion Zone", also known as the "Demilitarized Zone". It is a buffer zone between the non-security system and the
security system to solve the problem that the external network cannot access the internal network server after the firewall is installed.

This buffer is located in a small network area between the enterprise's internal network and the external network. In this small network area, some server facilities that must be made public can be placed, such as enterprise Web services
Server, FTP server and forum, etc.

On the other hand, through such a DMZ zone, the internal network is more effectively protected, because this kind of network deployment has one more step for attackers than the general firewall solution< a i=1> level.

Barrier function of DMZ

1. The internal network can access the external network
Users on the internal network need to freely access the external network. In this strategy, the firewall needs to perform NAT.

2. The intranet can access the DMZ
This policy allows intranet users to use or manage servers in the DMZ.

3. The external network cannot access the internal network
This is the basic policy of the firewall. The internal network stores internal company data. Obviously, these data are not allowed to users from the external network. to visit. If you want to access, you must do it through VPN.

4. The external network can access the DMZ
The servers in the DMZ need to provide services to the outside world, so the external network must be able to access the DMZ. At the same time, external network access to the DMZ requires the firewall to complete the conversion of the external address to the actual address of the server.

5. The DMZ cannot access the internal network
If this policy is not implemented, the internal network will not be protected when an intruder captures the DMZ.

6.DMZ cannot access the external network
There are exceptions to this policy. For example, in our example, when placing a mail server in the DMZ, it needs to access the external network, otherwise it will not be able to access the external network. Works normally

11. ALONE

SAM (security account manager) SAM is a database file used to store Windows operating system passwords. In order to avoid the leakage of plaintext passwords, the SAM file stores plaintext The hash value of the password has been processed by a series of algorithms. The saved hash is divided into LM Hash and NTLMHash. When the user logs in to the system locally or remotely, the hash value is compared with the hash value saved in the SAM file. In later Windows systems, the password hashes saved in the SAM file are encrypted by the key SYSKEY. It exists in c:/windows/system32/config/SAM, similar to the /etc/shadow file in Linux. We can delete/replace the SAM file and log in to the administrator account of some older versions of the system through PE without a password.

Get Hash method:

1. Use tools such as mimikatz to read the exe process and obtain the Hash
2. net-NTLM Hash can be obtained using tools such as Responder or Inveigh

Cracking the Hash:

LM Hash
john –format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
NTLM Hash
john –format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
Net-NTLMv1
john –format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
Net-NTLMv2
john –format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt

12.Kerberos protocol

Kerberos is a network authentication protocol proposed by MIT (Massachusetts Institute of Technology). It aims to provide strong authentication services for client/server applications by using encryption technology.

There are three main roles in the Kerberos protocol:

(1) The client that accesses the service (hereinafter referred to as Client or user)

(2) Server that provides services (hereinafter referred to as services)

(3) KDC (Key Distribution Center) key distribution center

The KDC service will be installed in the domain controller of a domain by default, and the Client and Server are users or services in the domain, such as HTTP service, SQL service, and Remote Desktop Service. In Kerberos, whether the client has permission to access server-side services is determined by the ticket issued by the KDC.

13.NTLM

Where permitted, Kerberos is the preferred authentication method. Prior to this, Windows mainly used another authentication protocol-NTLM (NT Lan Manager). NTLM is used in Windows NT and Windows 2000 Server (or later) workgroup environments (Kerberos is used in domain mode). In an AD domain environment, if Windows NT systems need to be authenticated, NTLM must also be used. Compared with Kerberos, the NTLM-based authentication process is much simpler. NTLM uses a challenge/response message exchange model.

1. First, the user logs in to the client host by entering a Windows account and password. Before logging in, the client caches the hash of the entered password and the original password is discarded ("the original password must not be cached under any circumstances" is a basic security guideline). If a user who successfully logs in to client Windows tries to access server resources, he needs to send a request to the other party. The request contains a username in clear text.
2. After the server receives the request, it generates a 16-bit random number. This random number is called Challenge or Nonce. Before the server sends the Challenge to the client, the Challenge will be saved first. Challenge is sent in clear text.
3. After receiving the Challenge sent back by the server, the client encrypts it using the password hash value saved in step 1, and then sends the encrypted Challenge to the server.
4. After receiving the encrypted Challenge sent back by the client, the server will send a verification request for the client to the DC (Domain). The request mainly contains the following three aspects: client user name; client password hash encrypted Challenge and original Challenge.
5. DC obtains the password hash value of the account based on the user name and encrypts the original Challenge. If the encrypted Challenge is consistent with the one sent by the server, it means that the user has the correct password and the verification passes, otherwise the verification fails. DC sends the verification results to the server and finally feeds them back to the client.

NTLM (New Technologies Lan Manager) HASH usually refers to the HASH stored in the SAM file or ntds.dit file. The generation process is: hexadecimal encoding ==> unicode encoding ==> MD4 encryption.

NET-NTLM HASH is a hash value returned from the server during the above NTLM authentication process, which stores user name, IP, encryption algorithm, password hash, etc.

NTLM Hash can be obtained in these ways:

1. Export the SAM file and use tools such as mimikatz with SYSKEY to obtain it
2. Change the registry and use minikatz to read the exe process to obtain it (2012 r2 and 8.1 and above prohibit plaintext caching into memory, while mimikatz obtains plaintext passwords based on memory)
3. NTLM hash pass
4. NET-NTLM HASH can be obtained by using tools such as Responder and Inveigh to conduct man-in-the-middle attacks and forge server-side resume SMB connections.

14.SMB

SMB (Server Message Block) is called Server Message Block, also called Network File Sharing System (CIFS). In Windows 2000, in addition to being implemented based on NBT, SMB can also be implemented directly through port 445. Its main function is to enable machines on the network to share resources such as computer files, printers, serial ports, and communications.

CIFS messages are generally sent using NetBIOS or TCP protocols, using different ports 139 or 445 respectively. Currently, port 445 is preferred.

• Runs directly on TCP port 445
• By using the NetBIOS API
  • Based on UDP ports 137, 138 & TCP ports 137, 139
  • Based on some traditional protocols such as NBF

15.IPC

IPC (Inter-Process Communication) is used for communication between processes.

IPC$ (Internet Process Connection) began to be used after NT/2000. It is a named pipe opened for inter-process communication. By verifying the account and password, the two parties can establish a secure channel and exchange encrypted data through this channel. , thereby achieving remote management and viewing of computer shared resources.

IPC$ (Internet Process Connection) can be understood as a "dedicated pipe" that can establish a secure channel on both sides of the connection to achieve access to remote computers. Windows NT/2000/XP not only provides the IPC$ function, but also opens the default shares when installing the system for the first time, that is, all logical shares (C$, a>D$,E$……) and the system directory (ADMIN$) are shared. The purpose of all these shares is to facilitate the management of administrators, but intentionally or unintentionally, they lead to hidden dangers in system security. We can view the shares by typing net share in the cmd command line.

The vulnerability we often talk aboutIPC$ is the empty connection of IPC, but its original harm is very small. It can only access shares with everyone permissions, access a small part of the registry, etc. Moreover, in 2000 and later versions, permissions are set and empty connections are disabled.

IPC$ is based on SMB and NetBIOS, so the port used is also 139/445. Which port is actually accessed depends on whether NetBIOS is allowed.

Create an empty session:

net use \\ip\ipc$ "" /user:"" (注：前边引号“”内为空密码，后边user:""引号中为空用户名)

ExclusionIPC$Connection:

net use \\192.168.1.101\ipc$ /del

After the connection has been established:

View the shared resources of the remote host:

net view \\ip

Get the NetBIOS username list of the remote host (you need to open your own NBT):

nbtstat -A ip

Map the target C drive to the local Z drive:

net use z: \\192.168.1.101\c$

**Note: No matter whether we establish IPC$** successfully or not, a record will be left in the log.

16.NetBIOS

NETBIOS (Network Basic Input and Output System), strictly speaking, is not a network protocol. NETBIOS is an application program interface (API). In the early days, it used the NetBIOS Frames (NBF) protocol to operate. It is a non-routing network protocol and is located at the transport layer; later NetBIOS The emergence of over TCP/IP (abbreviated as NBT, NetBT), allowing it to be connected to TCP/IP, is a network protocol located at the session layer. Obtain computer name based on NETBIOS protocol broadcast - resolve to corresponding IP address, available on all operating systems after Windows NT, does not support IPV6

NETBIOS provides three services

• NetBIOS-NS (Name Service): In order to start a session and distribute datagrams, the program needs to register a NETBIOS name with the Name Server. It can tell other applications what services are provided. It listens to UDP137 port by default, and can also use TCP 137 port.
• Datagram distribution service: connectionless, responsible for error detection and recovery, defaults to UDP port 138.
• Session Server: Allows two computers to establish a connection, defaults to TCP port 139.

Discover hosts using NETBIOS

1. nbtstat (Windows built-in command)

• Get the target host MAC address

  nbtstat -A 192.168.1.1
  

1. nbtscan

• Scan the host name and open network shares of the specified network segment

  exe 192.168.1.1/24
  

17.WMI

WMI (Windows Management Instrumentation) is the core of the Windows 2K/XP management system; for other Win32 operating systems, WMI is a useful plug-in. Users can use WMI to manage local and remote computers. It provides a public interface to access the building blocks of the operating system. It opens port 135 by default.

WMI consists of a series of extensions to the Windows Driver Model, which provides information and notifications through instrument components and provides an operating system interface. During penetration testing, attackers often use scripts to complete operations on the Windows operating system through the WMI interface, and remote WMI connections are made through DCOM. For example: WMIC, Invoke-WmiCommand, Invoke-WMIMethod, etc. Another method is to use Windows Remote Management (WinRM)

18.Windows Access Token

The windows access token contains the security information of the login session (such as various SIDs). When a user logs in, the system creates an access token, and then all processes running as that user have a copy of the token. The token uniquely represents the user, the user's group, and the user's privileges. There are two types of tokens: main tokens and simulated tokens. The primary token is associated with the process; the impersonated token is associated with the thread that impersonates the token. When the user logs out, the system will switch the main token to the simulation token and will not clear the token. It will only be cleared after restarting the machine.

19.SID

SID is a security identifier, a unique number that identifies users, groups, and computer accounts. Every account on the network is issued a unique SID when the account is first created. It is used to track each account and never changes, even if we change the administrator's name.

20. Bastion machine

The bastion host is an operation and maintenance security audit system for internal operation and maintenance personnel. Its main functions are to restrict login entries, centralize authority account management, block illegal commands, record the operations of operation and maintenance personnel, and hold accountable if something goes wrong. The intuitive difference between it and the firewall is that the firewall is used between the external network and the DMZ, and the DMZ and the intranet, while the bastion host is used between the operation and maintenance personnel and the intranet.

21. Classification of computers in the domain

• domain controller

• member server

  ​A member server refers to a computer that has the Windows Server 2008 operating system installed and has been added to a domain. These servers provide network resources and are also known as additional domain controllers in an existing domain. Member servers usually have the functions of the following types of servers: file servers, application servers, database servers, Web servers, certificate servers, firewalls, remote access servers, print servers, etc.

• Dedicated server

  An independent server has nothing to do with a domain. If the server does not add people to the domain and does not install Active Directory, it is called an independent server. A standalone server can create workgroups and share resources with other computers on the network, but it cannot obtain any services provided by Active Directory.

• Clients in the domain

  ​ Computers with operating systems such as win xp/2000/2003 installed and added to the domain can use these computers and accounts in the domain to log in to the domain and become clients in the domain. After the domain user account passes the security verification of the domain, it can access various resources on the network.

22. Interpretation of intra-domain permissions

1. Domain local group

Multi-domain users access single domain resources (access the same domain)

User accounts, universal groups, and global groups can be added from any domain, but permissions can only be assigned within their domain. Domain local groups cannot be nested within other groups. It is mainly used to grant access rights to resources located in this domain

2.Global group

Single domain users access multi-domain resources (must be users in one domain)

Users and global groups can only be added in the domain where the global group is created. Permissions can be assigned within any domain in a domain forest. Global groups can be nested within other groups.

A global group can be added to another global group in the same domain, or to universal groups and domain local groups in other domains ( cannot be added to different Within a domain's global group, a global group can only add users and groups in the domain in which it is created). Although global groups can be used to grant users permission to access resources in any domain, they are generally not used directly for permission management.

3. The relationship between global groups and domain local groups

The relationship between domain user accounts and local accounts is similar.

Domain user accounts can be used globally, that is, they can be used in this domain and other related domains, while local accounts can only be used on this machine. For example: adding user Zhang San (Z3) to the domain local group Administrators does not enable Z3 to have any privileges on non-DC domain member computers. But if Z3 is added to the global group Domain Admins, user Zhang San becomes a domain administrator (can be used globally and has privileges on domain member computers)

4. Universal group

Multi-domain users access multi-domain resources

Members of a universal group can include user accounts, global groups and other universal groups in any domain in the domain tree or domain forest. Permissions can be assigned in any domain in the domain forest and can be nested in other groups. It is very suitable for use in domain forests. Used for cross-domain access within. However, members of universal groups are not stored in their respective domain controllers, but in the Global Catalog (GC), and any changes will cause forest-wide replication.

Global catalogs are typically used to store information that does not change frequently. Since user account information changes frequently, it is recommended not to add user accounts directly to universal groups. Instead, add user accounts to global groups first, and then add these relatively stable global groups to universal groups.

In a simple sentence:

• Domain local group: from the whole forest, acting on this domain
• Global group: from this domain, acting on the entire forest
• Universal group: from the whole forest, acting on the whole forest

5.A-G-DL-P strategy

The A-G-DL-P policy refers to adding the user account to the global group, adding the global group to the domain local group, and then assigning resource permissions to the domain local group.

• A represents user account (Account)
• G stands for Global Group
• U stands for Universal Group
• DL stands for Domain Local Group
• P stands for resource permission (Permission)

It is very easy to organize and manage users according to A-G-DL-P policies. After the A-G-DL-P policy is formed, when you need to add a certain permission to a user, you only need to add the user to a domain local group.

6. Built-in groups

When you install a domain controller, the system automatically generates some groups, called built-in groups. Built-in groups define some commonly used permissions. Users can obtain corresponding permissions by adding them to built-in groups.

The groups in the Builtin and Users organizational units of the Active Directory console window are built-in groups.

• Built-in domain local groups are in the Builtin organizational unit.
• The built-in global portfolio universal group is in the Users organizational unit

23. Several important domain local groups

• Administrators group (Administrators): Members of this group have unrestricted access to resources within the computer/domain. Not only is it the most powerful group, it is also the group that has administrator rights by default in Active Directory and domain controllers. Members of this group can change membership in the Enterprise Admins, Schema Admins, and Domain Admins groups and are the most powerful service management group in the domain forest.
• Remote Desktop Users: Members of this group have remote login permissions.
• Print Operators: Members of this group can manage network printers, including creating, managing and deleting network printers, and can log in locally and shut down domain control. device.
• Account Operators: Members of this group can create and manage users and groups in the domain and set permissions for them, and can also log in to the domain locally. controller. However, accounts that belong to the Administrators or Domain Admins groups cannot be changed, nor can these groups be changed. By default, there are no members in this group.
• Server Operators Group (Server Operators): Members of this group can manage domain servers. Their permissions include creating, managing, and deleting shared directories of any server, managing network printers, Back up any server's files, format the server's hard drive, lock the server, change the server's system time, shut down the domain controller, etc. By default, there are no members in this group.
• Backup Operators: Members of this group can perform backup and restore operations on the domain controller, and can log on and shut down the domain controller locally. By default, there are no members in this group

24. Permissions of several important global groups and universal groups

• Domain Admins: Members of this group have full administrator rights by default on all domain-joined servers, domain controllers, and Active Directory. Because this group will be added to the Administrators group of its own domain, it can inherit all the permissions of the Administrators group. At the same time, this group will be added to the local Administrators group of each domain member computer by default. In this way, the Domain Admins group takes ownership of all computers in the domain. If you want a user to become a domain system administrator, it is recommended that you add the user to the Domain Admins group instead of directly adding the user to the Administrators group.
• Enterprise Admins: This group is a group in the root domain of the domain forest. This group is a member of the Administrators group within every domain in the domain forest and therefore has full access to all domain controllers.
• Domain Users: This group is all domain members. By default, any user account created by us belongs to the Domain Users group, and any The computer accounts created by us all belong to the Domain Computers group. Therefore, if you want all accounts to obtain a certain resource access permission, you can assign the permission to the domain user group, or let the domain user group belong to a group with this permission. Domain Users groups are members of the built-in Domain Users group by default.
  rs group. In this way, the Domain Admins group takes ownership of all computers in the domain. If you want a user to become a domain system administrator, it is recommended that you add the user to the Domain Admins group instead of directly adding the user to the Administrators group.
• Enterprise Admins: This group is a group in the root domain of the domain forest. This group is a member of the Administrators group within every domain in the domain forest and therefore has full access to all domain controllers.
• Domain Users: This group is all domain members. By default, any user account created by us belongs to the Domain Users group, and any The computer accounts created by us all belong to the Domain Computers group. Therefore, if you want all accounts to obtain a certain resource access permission, you can assign the permission to the domain user group, or let the domain user group belong to a group with this permission. Domain Users groups are members of the built-in Domain Users group by default.
• Schema Admins: This group is a group in the root domain of the domain forest and can modify the modes of Active Directory and domain forest. This group is a domain user group that provides full permissions to Active Directory and domain controllers, so the qualifications of the members of this group are very important.