Active Directory (AD) is Microsoft’s central identity and access management system for Windows environments. It stores users, computers, groups, policies, and permissions, and allows organisations to manage authentication and access control across large networks from a single administrative framework.
At a technical level Active Directory is built around domain controllers, which authenticate users and systems using protocols such as Kerberos and NTLM. When a user signs in to a domain-joined workstation, AD verifies their identity, applies group policies, and determines the systems, shares, and applications they are allowed to access. This centralisation is efficient for IT operations, but it also means a weakness in AD often has organisation-wide consequences.
Active Directory environments are made up of many interconnected trust relationships. Group memberships, delegated permissions, service accounts, legacy protocols, and access control lists can all create attack paths that are not obvious during day-to-day administration. Attackers commonly abuse misconfigurations in these relationships to escalate privileges, move laterally, and eventually reach domain admin or equivalent control.
Because Active Directory sits at the centre of identity in many organisations, a compromise often means compromising everything that depends on it. File servers, workstations, email access, remote administration, and sometimes even cloud identity integrations can all be affected once an attacker gains sufficient AD privileges.
For many organisations, AD is the highest-value target on the internal network. Internal penetration testing is often designed around understanding whether an attacker with a low-privilege foothold could compromise Active Directory through privilege escalation or lateral movement .