Skip to main content

Miscellaneous

User SID and RID

In Active Directory, any group or user that Windows doesn't create has a RID of 1000 or greater. The last 8 bytes of RID determines the user's group.

RID : 0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000

SID : 0x0105000000000005150000001c00d1bcd181f1492bdfc236

Group: f4010000 -> 0x01f4 -> 500 Administrators

NTDS

New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Essentially, NTDS.DIT stores and organizes all the information related to objects in the domain, including users, groups, computers, and more. It acts as the backbone of Active Directory, housing critical data such as user account details, passwords, group memberships, and other object attributes.

  • Location (on a Domain Controller): C:\Windows\NTDS\ntds.dit

Reset krbtgt (min every 180 days)

https://www.stigviewer.com/stig/windows_server_2016/2019-03-13/finding/V-91779 Get-ADUser krbtgt -Property PasswordLastSet

  • Two resets are required to invalidate the previous Kerberos password and to stop potential malicious use. Ensure you force replication between the resets. We can also use New-KrbtgtKeys.ps1 from Microsoft to "reset the krbtgt account password while minimizing the likelihood of Kerberos authentication issues being caused by the operation". https://github.com/microsoft/New-KrbtgtKeys.ps1
Back to top