Active Directory Glossary

The glossary focuses on how Active Directory objects are categorized, how privilege tiers such as Tier 0 are determined, and how relationships between objects can impact the overall security posture of the environment.

Active Directory Object / Entity

The term Object or Entity refers to objects in the Active Directory environment. FSProtect enumerates and analyzes objects/entities below.

Forest
Domain
Computer
User
Group
Group Policy Object
Organizational Unit
Managed Service Account
Group Managed Service Account
Local User
Local Group
Certificate Authority
Certificate Template
Certificate Authority Certificate

Tier0

What “Tier 0” Means

Tier 0 objects hold the keys to your entire Active Directory (AD) forest. Anyone who can control a Tier 0 object can ultimately control every other object.

For that reason, Tier 0 assets must be managed only from equally protected Tier 0 workstations by the most-trusted admins.

Which Objects Are Always Tier 0

Type

Name in Active Directory

Group Policy Object (GPO)

Default Domain Policy

Organizational Unit (OU)

Domain Controllers

Container

Users and AdminSDHolder

Built-in or Privileged Groups

• Dns Admins • Domain Admins • Domain Controllers • Cert Publishers • Cloneable Domain Controllers • Key Admins • Enterprise Key Admins • Schema Admins • Enterprise Admins • Built-in Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Distributed COM Users • Cryptographic Operators • Enterprise Domain Controllers • Performance Log Users • Incoming Forest Trust Builders

Built-in Users

• Administrator • krbtgt

How Everything Else Gets Its Tier

Groups

• Group is on the “Tier 0 groups” list. • Group is member of (directly or through nesting) to any Tier 0 group.

Computers & Servers

• Computer is a Domain Controller. • Computer hosts an Active Directory Certificate Authority (CA). • Computer is member of (directly or through nesting) to any Tier 0 group. • Computer is added to a Tier 0 group that lives in another trusted domain.

Users

• User is on the “Tier 0 users” list. • User is member of (directly or through nesting) to any Tier 0 group. • User is added to a Tier 0 group that lives in another trusted domain.

Local Users

• Local User is local administrator on a Tier 0 computer.

Service Accounts(MSA, gMSA, dMSA)

• Service Account is member of (directly or through nesting) to any Tier 0 group. • Service Account is added to a Tier 0 group that lives in another trusted domain.

Certificate Templates

The template is published in Active Directory Certificate Services.

Organisational Units (OUs)

OU copies the highest-privilege tier of anything stored inside it. If any child object is Tier 0, the OU becomes Tier 0.

Containers

Same rule as OUs: the container takes the highest tier of its contents.

Group Policy Objects (GPOs)

• GPO linked directly to the domain root. • GPO linked to any OU or container that is Tier 0.

Logon / Startup Scripts

A script takes the highest tier of every GPO that assigns it. If one GPO is Tier 0, the script is Tier 0.

Admin

Objects that have direct privilege on the entire Active Directory environment or that can lead to total Active Directory compromise. FSProtect marks the following objects as Admin.

Direct or nested members of
- Administrators
- Domain Admins
- Enterprise Admins
Domain Controller Servers
KRBTGT
Certificate Authorities

Privileged

Objects that have direct privilege on some Active Directory objects or that can lead to compromise of Admin objects. FSProtect marks the following objects as Privileged.

All Admin objects
Direct or nested members of
- Account Operators
- Backup Operators
- Cert Publishers
- Cryptographic Operators
- DnsAdmins
- Enterprise Key Admins
- Enterprise Read-only Domain Controllers
- Group Policy Creator Owners
- Incoming Forest Trust Builders
- Key Admins
- Network Configuration Operators
- Print Operators
- Read-only Domain Controllers
- Remote Desktop Users
- Replicator
- Schema Admins

Unprivileged

All other objects that are not privileged or admin.

Everyone-Like

Groups that contain all/general objects in Active Directory. FSProtect marks the following objects as Everyone-Like.

Everyone
World
Anonymous
Authenticated Users
Users
Guests
Domain Guests
Domain Users
Domain Computers

Local Admin

Objects that have direct or nested membership on local Administrators group in at least one computer.

Service Account

Users with the ServicePrincipalNames attribute set.

Explicit Local Admin

Objects that have direct membership on local Administrators group.

Group Delegated Local Admin

Objects that have nested membership on local Administrators group.

Online

Computers that accessed to port 445 during the network scan.

Shadow Admin

Unprivileged or privileged objects that can compromise admin objects through attack paths.

PreviousGlossary NextAzure / Entra ID Glossary

Last updated 4 months ago

Was this helpful?

hashtagActive Directory Object / Entity

hashtagTier0

hashtagWhat “Tier 0” Means

hashtagWhich Objects Are Always Tier 0

hashtagHow Everything Else Gets Its Tier

hashtagAdmin

hashtagPrivileged

hashtagUnprivileged

hashtagEveryone-Like

hashtagLocal Admin

hashtagService Account

hashtagExplicit Local Admin

hashtagGroup Delegated Local Admin

hashtagOnline

hashtagShadow Admin