# Active Directory Glossary The glossary focuses on how Active Directory objects are categorized, how privilege \ tiers such as Tier 0 are determined, and how relationships between objects can impact \ the overall security posture of the environment. ## **Active Directory Object / Entity** The term Object or Entity refers to objects in the Active Directory environment. FSProtect enumerates and analyzes objects/entities below. * Forest * Domain * Computer * User * Group * Group Policy Object * Organizational Unit * Managed Service Account * Group Managed Service Account * Local User * Local Group * Certificate Authority * Certificate Template * Certificate Authority Certificate ## Tier0 ### What “Tier 0” Means Tier 0 objects hold the keys to your entire Active Directory (AD) forest. Anyone who can control a Tier 0 object can ultimately control every other object. For that reason, Tier 0 assets must be managed only from equally protected Tier 0 workstations by the most-trusted admins. ### Which Objects Are Always Tier 0 | Type | Name in Active Directory | | -------------------------------------------------------------------- | ------------------------ | | **Group Policy Object (GPO)** | Default Domain Policy | | **Organizational Unit (OU)** | Domain Controllers | | **Container** | Users and AdminSDHolder | | **Built-in or Privileged Groups** |

• Dns Admins | |
• Domain Admins | | |
• Domain Controllers | | |
• Cert Publishers | | |
• Cloneable Domain Controllers | | |
• Key Admins | | |
• Enterprise Key Admins | | |
• Schema Admins | | |
• Enterprise Admins | | |
• Built-in Administrators | | |
• Account Operators | | |
• Server Operators | | |
• Print Operators | | |
• Backup Operators | | |
• Distributed COM Users | | |
• Cryptographic Operators | | |
• Enterprise Domain Controllers | | |
• Performance Log Users
• Incoming Forest Trust Builders

| | | **Built-in Users** |

• Administrator | |
• krbtgt

| | ### How Everything Else Gets Its Tier \| **Groups** |

• Group is on the “Tier 0 groups” list.
• Group is member of (directly or through nesting) to any Tier 0 group.

| \| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | \| **Computers & Servers** |

• Computer is a Domain Controller.
• Computer hosts an Active Directory Certificate Authority (CA).
• Computer is member of (directly or through nesting) to any Tier 0 group.
• Computer is added to a Tier 0 group that lives in another trusted domain.

| \| **Users** |

• User is on the “Tier 0 users” list.
• User is member of (directly or through nesting) to any Tier 0 group.
• User is added to a Tier 0 group that lives in another trusted domain.

| \| **Local Users** | • Local User is local administrator on a Tier 0 computer. | \| **Service Accounts**(MSA, gMSA, dMSA) |

• Service Account is member of (directly or through nesting) to any Tier 0 group.
• Service Account is added to a Tier 0 group that lives in another trusted domain.

| \| **Certificate Templates** | The template is published in Active Directory Certificate Services. | \| **Organisational Units (OUs)** | OU copies the highest-privilege tier of anything stored inside it. If any child object is Tier 0, the OU becomes Tier 0. | \| **Containers** | Same rule as OUs: the container takes the highest tier of its contents. | \| **Group Policy Objects (GPOs)** |

• GPO linked directly to the domain root.
• GPO linked to any OU or container that is Tier 0.

| \| **Logon / Startup Scripts** | A script takes the highest tier of every GPO that assigns it. If one GPO is Tier 0, the script is Tier 0. | ## **Admin** Objects that have direct privilege on the entire Active Directory environment or that can lead to total Active Directory compromise. FSProtect marks the following objects as Admin. * Direct or nested members of * Administrators * Domain Admins * Enterprise Admins * Domain Controller Servers * KRBTGT * Certificate Authorities ## **Privileged** Objects that have direct privilege on some Active Directory objects or that can lead to compromise of Admin objects. FSProtect marks the following objects as Privileged. * All Admin objects * Direct or nested members of * Account Operators * Backup Operators * Cert Publishers * Cryptographic Operators * DnsAdmins * Enterprise Key Admins * Enterprise Read-only Domain Controllers * Group Policy Creator Owners * Incoming Forest Trust Builders * Key Admins * Network Configuration Operators * Print Operators * Read-only Domain Controllers * Remote Desktop Users * Replicator * Schema Admins ## **Unprivileged** All other objects that are not privileged or admin. ## **Everyone-Like** Groups that contain all/general objects in Active Directory. FSProtect marks the following objects as Everyone-Like. * Everyone * World * Anonymous * Authenticated Users * Users * Guests * Domain Guests * Domain Users * Domain Computers ## **Local Admin** Objects that have direct or nested membership on local Administrators group in at least one computer. ## **Service Account** Users with the ServicePrincipalNames attribute set. ## **Explicit Local Admin** Objects that have direct membership on local Administrators group. ## **Group Delegated Local Admin** Objects that have nested membership on local Administrators group. ## **Online** Computers that accessed to port 445 during the network scan. ## **Shadow Admin** Unprivileged or privileged objects that can compromise admin objects through attack paths. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/readme/glossary/glossary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.