eastbaycyber

Active Directory (AD): Definition, How It Works, and Where You’ll Encounter It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Active Directory (AD) is Microsoft’s directory service used to centrally manage identities (users, groups, computers) and enforce access policies within a Windows domain. In practice, it’s the backbone for authentication, authorization, and configuration management across many enterprise and SMB Windows networks.

Active Directory (AD) is Microsoft’s directory service for identity and access management in a Windows domain—meaning it’s often the control plane behind Windows logons, permissions, and Group Policy in business networks. Because AD ties together authentication (who you are), authorization (what you can access), and configuration (how endpoints are managed), it’s also one of the highest-impact systems to secure.

How Active Directory works

At a high level, AD provides a shared source of truth (“directory”) about who and what exists in the environment—and what they’re allowed to do. It does this via components and protocols that work together.

Core components you should know

Domain
A logical boundary for identity and policy. Devices and user accounts joined to the domain use domain services instead of only local accounts.

Domain Controller (DC)
A Windows Server that runs Active Directory Domain Services (AD DS). DCs: - store the directory database (objects like users, groups, computers) - authenticate users and computers - replicate directory data to other DCs for availability and consistency

Objects and attributes
Everything in AD is represented as an object with attributes: - Users (e.g., sAMAccountName, userPrincipalName, group membership) - Computers (e.g., workstation/server accounts) - Groups (security groups and distribution groups) - Organizational Units (OUs) for structuring and delegating admin control - Service accounts (including managed service accounts in many environments)

Group Policy (GPO)
A central mechanism to enforce Windows configuration at scale (password policies, firewall settings, software deployment, scripts, security baselines). GPOs are linked to sites/domains/OUs and apply in a defined processing order.

DNS (Domain Name System)
AD depends heavily on DNS. DC discovery, Kerberos, and many client operations rely on correct DNS configuration. If DNS is wrong, “AD is down” symptoms often follow.

Key protocols and flows (what actually happens during logon)

Kerberos (common default in domain logons)
Kerberos is the primary authentication protocol in most modern AD environments. Simplified view: 1. A user signs in to a domain-joined machine. 2. The client contacts a DC (acting as the Key Distribution Center, or KDC). 3. The DC issues a Ticket Granting Ticket (TGT). 4. The client uses the TGT to request service tickets for resources (file servers, apps, etc.). 5. Access is granted based on the user’s identity and group memberships.

LDAP (directory queries)
LDAP is used to query and modify directory data (look up users/groups, check attributes, enumerate objects). Many applications integrate with AD via LDAP or LDAP over TLS (LDAPS).

NTLM (legacy / fallback)
NTLM may still appear for older systems, misconfigurations, or certain access patterns. From a security perspective, NTLM is often a hardening target (reduce/disable where feasible) because it’s more susceptible to relay-style abuses in some scenarios.

Replication and trust boundaries

Replication
Multiple DCs replicate directory changes so logons and lookups keep working if a DC fails. Replication is critical operationally—and security-relevant because privileged changes (like adding a user to Domain Admins) replicate too.

Forests, trees, and trusts
Larger organizations may have: - A forest: the top-level boundary containing one or more domains with shared schema and global catalog - Trusts: relationships between domains/forests that allow cross-domain access

Security takeaway: trusts expand the blast radius if mismanaged. An incident in one domain may pivot through trusts depending on configuration and privileges.

Technical notes: quick checks admins and responders use

# Identify domain and current user context
whoami /all
echo %USERDOMAIN%
nltest /dsgetdc:yourdomain.local

# Check domain controller discovery and secure channel health
nltest /sc_verify:yourdomain.local
Test-ComputerSecureChannel -Verbose

# Query basic directory info (requires RSAT / AD module)
Get-ADDomain
Get-ADDomainController -Filter *
Get-ADUser -Identity someuser -Properties MemberOf,LastLogonDate

Common log sources in investigations: - Security event logs on DCs (authentication events, account changes, group membership changes) - AD replication and directory service logs - DNS logs (especially if troubleshooting DC discovery or suspicious lookups)

Where you’ll encounter Active Directory

You’ll run into Active Directory in everyday IT operations and in most Windows-centric security work.

1) Joining devices and centralizing logon

If a Windows workstation is domain-joined, the user’s sign-in and many access checks flow through AD. Expect AD any time: - employees sign into Windows with a corporate username/password - shared file servers, printers, or internal apps rely on Windows integrated authentication - IT needs centralized account provisioning/deprovisioning

What to do next (ops): - Ensure domain-joined endpoints use the organization’s DNS (pointing at DCs). - Standardize OU placement for devices and users so policies apply predictably.

2) Enforcing security configuration with Group Policy

Hardening and compliance in Windows environments often depends on GPOs: - password and lockout policies - local admin restrictions - firewall and audit policy settings - Defender configuration (in some setups) - login scripts and software deployment

What to do next (security): - Review GPOs for risky settings (e.g., local admin sprawl, weak audit policies). - Monitor changes to high-impact GPOs and privileged groups.

3) Identity is the control plane for access

AD becomes the “source of truth” for: - group-based access to file shares and apps - admin delegation (help desk resetting passwords, workstation admin groups, etc.) - service-to-service authentication (service accounts)

Risk patterns security teams commonly see: - Over-privileged accounts (too many users in admin groups) - Stale accounts (former employees, unused service accounts) - Credential exposure (password reuse, weak service account hygiene) - Excessive trust (flat networks, weak segmentation, broad lateral movement paths)

What to do next (baseline): - Separate admin accounts from daily user accounts. - Limit and monitor membership in privileged groups (e.g., Domain Admins). - Treat service accounts as high-risk identities and rotate credentials where possible.

4) Hybrid identity and cloud integration

Many organizations pair on-prem AD with cloud identity (often via synchronization). In “hybrid” models: - on-prem AD may still be authoritative for users/groups - sign-in and conditional access may occur in cloud identity, but group membership and device state can still originate on-prem

What to do next (architecture): - Document the source of authority for identities (where are accounts created, disabled, and audited?). - Secure synchronization pathways and accounts used for directory sync.

Security notes: what defenders commonly watch in AD

During incident response, these AD-adjacent artifacts are frequently examined:

- Domain Controller Security log:
  - account logons/authentication activity
  - group membership changes (privileged groups especially)
  - user creation/deletion and password resets

- Directory Service log:
  - replication issues
  - directory database/service anomalies

- DNS logs:
  - DC discovery issues
  - unusual SRV record queries or suspicious domain lookups

If your organization uses a managed detection provider, align on who monitors DC logs and identity alerts end-to-end; for background, see our glossary on MDR: what is mdr.

Practical tools that often complement AD security (optional)

Active Directory is foundational, but it’s not the only control you should rely on:

  • Endpoint protection for domain-joined devices: compare options and deployment considerations here: best antivirus for windows business endpoints 2026.
  • A password manager for admins and service credentials can reduce password reuse and improve rotation hygiene. If you’re evaluating options, 1Password is a common choice for business teams: Try 1Password →.

Related terms

AD DS (Active Directory Domain Services)

The core on-prem directory service role hosted on Domain Controllers.

Domain Controller (DC)

Server that authenticates users/computers and hosts the directory database.

Windows Domain

The administrative boundary where AD policies and identities apply.

Kerberos

Primary authentication protocol for domain logons and service access in most AD environments.

LDAP / LDAPS

Protocols used to query/update directory information (LDAPS adds TLS encryption).

Group Policy (GPO)

Mechanism to centrally enforce configuration and security settings on Windows machines/users.

Organizational Unit (OU)

Container for organizing objects and delegating admin and GPO scope.

Security Groups

AD groups used to grant permissions to resources; central to authorization.

Global Catalog (GC)

A directory role enabling forest-wide searches and resolving user/group information across domains.

Trust

A relationship that allows authenticated access between domains/forests; expands access scope and potential attack paths.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.