Arc 2: Operating the Company

"Your Identity" — Users, Groups & Authentication

Dana Kowalski keeps getting locked out of her account. While investigating, you'll discover how Windows proves who you are — and find an account that shouldn't exist.

Local Accounts vs. Domain Accounts

Windows supports two fundamentally different kinds of user accounts, and understanding the difference is critical for any IT professional.

A local account exists only on a single machine. When you create a user on a standalone workstation, that account is stored in the SAM (Security Account Manager) database on that computer. The account can only log into that one machine. If you have 500 workstations, you'd need to create 500 separate accounts for one user — a nightmare to manage.

A domain account exists in Active Directory (AD), a centralized database stored on one or more Domain Controllers. When a user logs into any domain-joined workstation, the computer contacts the Domain Controller to verify the credentials. One account, accessible from any machine in the domain. Change the password once, and it works everywhere.

Feature	Local Account	Domain Account
Stored in	SAM database on the local machine	Active Directory on the Domain Controller
Accessible from	Only the machine where it was created	Any domain-joined machine
Managed by	Local administrator	Domain administrator (centralized)
Password changes	Only affects that one machine	Propagates across the entire domain
Group Policy	Local Group Policy only	Domain Group Policy (centralized management)
Use case	Standalone machines, home PCs, emergency local admin	Enterprise environments with multiple machines

Security Note: Every Windows machine has a built-in local Administrator account (SID ending in -500) even when joined to a domain. Attackers who compromise this account can control the machine even if the domain connection is severed. Best practice: rename it, give it a strong unique password via LAPS (Local Administrator Password Solution), and disable it if possible.

SIDs — Security Identifiers

Windows doesn't actually track users by their username — it tracks them by a unique number called a Security Identifier (SID). A SID is a variable-length binary value that uniquely identifies a security principal (user, group, or computer) across the entire Windows ecosystem.

A typical SID looks like this:

â””â”€â”€ S SID marker — identifies this as a Security Identifier

â””â”€â”€ 1 Revision (always 1)

â””â”€â”€ 5 Identifier Authority (5 = NT Authority)

â””â”€â”€ 21-384...210 Domain Identifier — unique per domain

â””â”€â”€ 1201 RID — Relative Identifier (unique per account)

The RID (Relative Identifier) at the end is what distinguishes individual accounts within the same domain. The domain portion stays the same for all accounts in that domain — only the RID changes.

Well-known SIDs are fixed across all Windows installations:

SID	Identity	Why It Matters
`S-1-5-18`	Local System (SYSTEM)	The highest-privilege built-in account. Services running as SYSTEM have complete control over the local machine. Attackers escalating to SYSTEM own the box.
`S-1-5-19`	Local Service	A reduced-privilege account for services that don't need network access. Presents anonymous credentials to remote servers.
`S-1-5-20`	Network Service	A reduced-privilege account for services that DO need network access. Presents the computer's credentials to remote servers.
`S-1-5-32-544`	Administrators (built-in group)	Members of this group have full control over the local machine.
`S-1-5-32-545`	Users (built-in group)	Standard user group — limited privileges, can't install software globally.
`S-1-5-domain-500`	Domain/Local Administrator	The built-in administrator account. RID 500 is always the first admin account created.
`S-1-5-domain-512`	Domain Admins	Members have admin rights on every machine in the domain. The most powerful group in AD.

Key Insight: Because Windows uses SIDs internally, renaming an account does NOT change its identity. If you rename "Administrator" to "xyzAdmin123" for security through obscurity, the SID is still -500. Any tool that looks up SIDs (like attackers' tools) will find it instantly. SIDs are identity — names are just labels.

The SAM Database

The SAM (Security Account Manager) is the database where local account information is stored on every Windows machine. It lives at C:\Windows\System32\config\SAM and is one of the most security-critical files on the system.

The SAM stores:

Usernames and their corresponding SIDs
Password hashes (NTLM hashes — NOT plaintext passwords)
Local group memberships
Account status (enabled/disabled, lockout state)

The SAM file is locked by the operating system while Windows is running. You cannot simply copy, open, or read it from a live system. This is a security measure — if the SAM were readable, any user could extract password hashes and crack them offline.

Security Implications: Even though the SAM is locked at runtime, attackers have ways to extract its contents: (1) Volume Shadow Copy — Windows backup snapshots contain a copy of the SAM. (2) Offline access — boot from a USB drive and copy the SAM from the dormant file system. (3) Mimikatz — a post-exploitation tool that reads password hashes from memory (lsass.exe). This is why full-disk encryption (BitLocker) and Credential Guard matter — they protect these secrets even if an attacker gets physical or elevated access.

Active Directory — The Centralized Authority

Active Directory (AD) is Microsoft's directory service for centralized identity and resource management. If the SAM is a guest list at one building's reception desk, Active Directory is the master employee database for the entire company — every office, every city, every country.

AD uses a hierarchical structure:

Forest — The top-level security boundary. A forest can contain multiple domains that share a common schema and trust relationships. Most organizations have a single forest. Example: meridian.local.
Domain — A logical grouping of objects (users, computers, groups) that share a common namespace and security policies. Each domain has at least one Domain Controller. Example: meridian.local.
Organizational Unit (OU) — A container within a domain used to organize objects for administration and Group Policy application. Think of OUs like department folders. Examples: OU=Finance, OU=Engineering, OU=IT.
Objects — The actual entries in AD: Users, Groups, Computers, Contacts, Shared Printers, etc. Each object has attributes (name, email, department, SID, etc.).

At Meridian Dynamics, the AD structure looks like this:


                Forest: meridian.local

                  Domain: meridian.local

                    OU=IT

                      intern01, p.sharma, m.chen, t.manning(?)

                    OU=Finance

                      d.kowalski, r.patel, j.woods

                    OU=Engineering

                      m.brooks, s.nakamura, a.garcia

                    OU=HR

                      l.johnson, k.williams

                    OU=Servers

                      MD-DC01, MD-FS01, MD-WS-IT04, ...

The Domain Controller (DC) is the server that runs AD Domain Services (AD DS). It stores the AD database (ntds.dit), handles authentication requests (Kerberos/NTLM), replicates data to other DCs, and enforces Group Policy. At Meridian Dynamics, MD-DC01 is the primary Domain Controller.

Why Active Directory Exists: Imagine managing 1,000 employees across 2,000 workstations with only local accounts. Every password change, every new hire, every group membership change requires visiting each machine individually. AD solves this by centralizing everything. Create one account, set its permissions, apply group policies — and it works across every domain-joined machine in the organization. This is why AD is the backbone of virtually every enterprise Windows environment.

Groups — Types, Scopes, and AGDLP

Managing permissions user-by-user is unsustainable. Groups let you assign permissions once and then add users to the group. Windows has two types of groups and three group scopes.

Group Types:

Security Groups — Can be used to assign permissions to resources (file shares, folders, printers). They also have a SID that appears in access tokens. This is the type you'll use 99% of the time.
Distribution Groups — Used only for email distribution lists. They have no SID and cannot be used for permissions. Think of them as mailing lists, not access lists.

Group Scopes:

Scope	Members Can Include	Can Be Used In	Use Case
Global	Users and groups from the same domain only	Any domain in the forest (and trusted forests)	Organize users by role: "Finance-Users", "IT-Staff"
Domain Local	Users and groups from any domain in the forest	Only the domain where it was created	Assign permissions to resources: "Finance-Share-Read", "Payroll-Folder-Modify"
Universal	Users and groups from any domain in the forest	Any domain in the forest	Enterprise-wide groups, cross-domain access. Membership is replicated to all Global Catalogs (higher replication cost).

AGDLP Nesting Strategy — The recommended practice for managing permissions in AD:

Accounts → are placed into
Global groups (by role) → which are nested into
Domain Local groups (by resource permission) → which are granted
Permissions on the resource

Example at Meridian Dynamics: User d.kowalski (Account) is a member of Finance-Staff (Global group), which is a member of Finance-Share-Modify (Domain Local group), which has Modify permission on the Finance$ share (Permission). If Dana transfers departments, you just remove her from the Global group — the permissions take care of themselves.

Why AGDLP Matters: Without this strategy, you end up assigning permissions directly to user accounts. When someone leaves or changes roles, you have to hunt through every share, folder, and printer to clean up their access. AGDLP makes onboarding, offboarding, and role changes manageable — you only need to update group membership.

NTLM vs. Kerberos — How Windows Proves Who You Are

When you type your username and password at the Windows login screen, something has to verify those credentials. Windows uses two authentication protocols: NTLM (the legacy protocol) and Kerberos (the modern default in Active Directory).

Feature	NTLM	Kerberos
Type	Challenge-response	Ticket-based
How it works	Server sends a random challenge; client hashes the password with the challenge and sends it back. Server verifies.	Client gets a Ticket Granting Ticket (TGT) from the KDC, then uses it to request Service Tickets for specific resources.
Mutual auth?	No — client cannot verify server identity. Vulnerable to server impersonation.	Yes — both client and server prove identity to each other.
Password exposure	Hash sent over the network (NTLM hash). Vulnerable to pass-the-hash attacks.	Password never leaves the client. Only encrypted tickets travel the network.
Time-sensitive?	No	Yes — tickets have a lifespan (default: 10 hours). Clocks must be synced within 5 minutes.
Default in AD?	No — used as fallback only	Yes — preferred protocol in AD environments
Key weakness	Pass-the-hash, NTLM relay attacks	Pass-the-ticket, Golden Ticket (forged TGT), Kerberoasting
When used	Local account logons, IP-only access (no hostname), legacy systems, fallback when Kerberos fails	Domain logons, accessing resources by hostname in AD environments

Security Implications — Pass-the-Hash: In NTLM, the password hash itself is sufficient for authentication. An attacker who steals NTLM hashes (from memory, SAM, or network capture) doesn't need to crack them — they can "pass" the hash directly to authenticate as that user. This is why Kerberos is preferred: it uses time-limited tickets instead of persistent hashes. However, Kerberos has its own vulnerabilities: a Golden Ticket attack uses a compromised KDC key to forge TGTs, granting unlimited domain access until the KDC key is rotated.

Access Tokens — Your Digital ID Badge

When you successfully log into Windows, the system creates an access token — a data structure that represents your identity for the entire session. Think of it as a digital ID badge that every process you run carries with it.

An access token contains:

User SID — Your unique identifier (e.g., S-1-5-21-...-1201 for intern01)
Group SIDs — Every group you belong to (Domain Users, IT-Staff, etc.)
Privileges — Special permissions like SeDebugPrivilege, SeBackupPrivilege, SeShutdownPrivilege
Integrity Level — Low, Medium, High, or System (determines what objects you can access)
Logon Session ID — Which logon session this token belongs to

Every process you launch inherits your access token. When you open Notepad, cmd.exe, or a browser — each of those processes runs with your token. When they try to access a file, the Security Reference Monitor compares the process's token against the file's DACL to decide whether to allow or deny access.

Why This Matters: If malware runs under your user account, it inherits your access token — meaning it has access to everything you have access to. This is why running as a standard user (not admin) limits the blast radius of a compromise. The malware can only reach what your token allows.

UAC — User Account Control

User Account Control (UAC) is Windows' mechanism for preventing administrative tasks from running automatically. Even if you're logged in as an administrator, UAC ensures that your processes run with a filtered (standard) token by default. Only when you explicitly approve an elevation prompt does the process receive the full (elevated) token.

This is called the split token model:

Admin Login

â”œâ”€â”€ Filtered Token (Medium Integrity)

â”‚ â””â”€â”€ explorer.exe, notepad.exe, chrome.exe

â”‚ standard user rights — your normal desktop

â””â”€â”€ Elevated Token (High Integrity)

â””â”€â”€ Admin tools, installers, system config

full admin rights — only after "Yes" click

Integrity Levels provide an additional layer of isolation:

Integrity Level	Typical Use	Can Write To
System	SYSTEM account, kernel-level services	Everything
High	Elevated administrator processes	System files, Program Files, HKLM registry
Medium	Standard user processes (default for logged-in users)	User profile, HKCU registry, user-writable folders
Low	Sandboxed processes (browser tabs, Protected Mode IE)	Only the %USERPROFILE%\AppData\LocalLow folder

A process at a lower integrity level cannot write to objects at a higher integrity level, even if the DACL would otherwise allow it. This prevents a compromised browser tab (Low) from modifying your documents (Medium) or system files (High).

Security Note: UAC is not a security boundary — Microsoft has stated that bypasses are not always treated as security vulnerabilities. It's a convenience feature that reduces accidental damage and makes malware authors work harder. For true privilege separation, use separate admin and standard user accounts (not just UAC prompts on the same account).

Account Policies — Password and Lockout

Account policies define the rules for passwords and account lockouts across the domain. These are configured via Group Policy and apply to all users in the domain.

Password Policy:

Setting	Meridian Dynamics Value	Purpose
Minimum password length	12 characters	Longer passwords are exponentially harder to brute-force
Password complexity	Enabled	Must include 3 of 4 categories: uppercase, lowercase, digits, special characters
Maximum password age	90 days	Force periodic password changes (controversial — NIST now recommends against mandatory rotation)
Minimum password age	1 day	Prevent users from cycling through passwords to reuse their favorite
Password history	24 passwords remembered	Prevent reusing recent passwords
Reversible encryption	Disabled	Should always be disabled — stores passwords in a format that can be reversed to plaintext

Account Lockout Policy:

Setting	Meridian Dynamics Value	Purpose
Account lockout threshold	5 bad attempts	Lock the account after 5 incorrect passwords
Account lockout duration	30 minutes	How long the account stays locked (0 = admin must unlock)
Reset lockout counter after	15 minutes	Bad password count resets to 0 after 15 minutes of no failures

Dana's Problem: With a lockout threshold of 5 and a reset counter of 15 minutes, if Dana mistyped her password 5 times within 15 minutes, her account would lock for 30 minutes. But if her account keeps locking repeatedly, it could indicate something more serious — a brute-force attack against her account, a misconfigured service using old credentials, or a mapped drive with a saved (wrong) password.

Kerberos Authentication Flow

Click Play to watch a Kerberos ticket travel from the user's workstation to the KDC and back. Click any step to explore what happens and why it matters.

Active Directory Hierarchy

Meridian Dynamics' AD structure — from the forest root down to individual user and computer objects.

Forest: meridian.local

Trust boundary • Schema • Global Catalog

↓

Domain: meridian.local

DC: MD-DC01 • MD-DC02 — Kerberos realm • Group Policy

↓

OU=IT

OU=Finance

OU=Engineering

OU=HR

OU=Servers

↓

intern01
p.sharma
m.chen

t.manning
⚠ ghost account

d.kowalski
r.patel
j.woods

m.brooks
s.nakamura

MD-DC01
MD-DC02
MD-FS01

X-Ray Mode: What Happens When intern01 Logs In

Watch the complete login flow step by step. The diagram highlights which component is active while the terminal shows the Windows Security Event Log entries that correspond to each stage.

Press Play to begin X-Ray walkthrough...

Investigation Lab: Dana's Lockouts & The Ghost Account

Scenario: Dana Kowalski, Finance Director (workstation MD-WS-FIN01), keeps getting locked out of her account. Priya asks you to look into the lockouts on the domain controller. "Check her account status, see what the lockout policy says, and while you're in there, do a general review of the user accounts — make sure everything looks right." You're connected to MD-DC01 (the primary Domain Controller) via Remote Desktop.

Run whoami /user to confirm your own identity and see your SID.

Hint: Your SID starts with S-1-5-21 followed by the domain identifier and your RID

Run whoami /priv to see what privileges your access token carries.

Hint: As an intern with limited rights, you won't have many privileges enabled

Run net user intern01 /domain to check your own AD account details.

Run net user d.kowalski /domain to investigate Dana's account. Is it locked? What's the bad password count?

Hint: Look at "Account active", "Account lockout", and the bad password count

Run net accounts /domain to see the domain's password and lockout policies. Does the lockout threshold explain Dana's issue?

Run net user /domain to list all domain users. Browse the list — do all these accounts look right? Then run net group "Domain Users" /domain to see group members.

Hint: Look for any name you don't recognize — especially in a privileged position

You notice t.manning in the list. Run net user t.manning /domain to investigate. Then check net group "IT-Admins" /domain. Is this account supposed to be active?

Hint: Check the "Comment" field, "Last logon", and group memberships carefully