Skip to main content
Support
BeginnerT1087.002

AD Enumeration Without Admin Rights

Any domain user can map your entire Active Directory -- every user, group, computer, trust, and policy -- without a single admin privilege.

When you join a company's network, your computer automatically connects to Active Directory. By default, every user account is allowed to read almost everything in the directory. This means you can see a list of all employees, all computers, all groups (including "Domain Admins"), and even details like when someone last changed their password or whether an account is disabled. Attackers use this information to pick targets -- they look for admin accounts, old service accounts with weak passwords, or computers that haven't been patched. The scary part is that none of this requires any special permissions; it is just how AD works out of the box.

Imagine walking into a large office building. The lobby directory lists every department, every floor, and often every employee by name and title. You do not need a security badge to read it -- you just need to walk in the front door. Active Directory works the same way: once you have any valid domain account (even a regular employee), you can query the directory and learn about every user, computer, group, and organizational unit in the entire domain. Attackers treat this as their first move -- mapping the terrain before choosing where to strike.

Try It Yourself

Key Takeaways

  1. Any authenticated domain user can enumerate virtually all AD objects by default.
  2. LDAP queries on port 389/636 and Global Catalog on 3268/3269 are the primary enumeration vectors.
  3. Tools like BloodHound, PowerView, and built-in net commands automate discovery.
  4. Key targets include admin accounts, Kerberoastable SPNs, stale passwords, and trust relationships.
  5. Enumeration is the foundation of every AD attack -- without it, attackers are blind.
Why Should I Care?

Enumeration is step zero of every AD attack. Understanding what information is exposed by default helps defenders prioritize what to monitor and restrict.

Defense Recommendations

While you cannot fully prevent enumeration, you can limit what attackers see and detect their queries.

  1. 1Deploy BloodHound defensively to identify attack paths before attackers do.
  2. 2Monitor LDAP query patterns -- high-volume or unusual filter queries may indicate enumeration.
  3. 3Use LDAP signing and channel binding to prevent relay attacks against LDAP.
  4. 4Remove stale accounts, disable unused SPNs, and enforce the principle of least privilege.
  5. 5Consider tiered administration to limit what Tier 2 accounts can see about Tier 0 assets.

Related Topics

SPN Scanning & Service DiscoveryKerberoasting Deep DiveAD Logical Structure
Sources
SPN Scanning & Service Discovery
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org