TL;DR Review of the Microsoft APL-1008 course and AD DS Applied Skills hands on assessment.
Exam Reviews
Altered Security Certified Red Team Professional (CRTP)
eLearn Junior Pentester (eJPT)
ISC2 Certified in Cybersecurity (CC)
Microsoft Applied Skills Administer AD DS
TCM Practical Junior Penetration Tester (PJPT)
Altered Security CRTP renewal exam
Background
Microsoft retired the MCSA around February 2021 and has mostly focused on Azure, Entra ID, Intune, M365, Sentinel, and other cloud based training and certifications for the last few years. The one exception is their Windows Server Hybrid Administrator Associate certification, which we will have to study up for and try eventually.
Hence it is refreshing for those who still work around ‘on prem’ Windows domains to see Microsoft offering a hands on Applied Skills credential and accompanying course on Active Directory Domain Services (AD DS). Even better, the course and assessment are free.
I learned about the assessment on Reddit and wanted to try it out. IMHO it’s an excellent introduction to Active Directory. I am also a big fan of hands on tests, or assessments as Microsoft calls this one.
The course
The course only takes a few hours to get through and covers the common introduction to AD topics. Microsoft outlines them as:
- Deploy and manage AD DS domain controllers
- Configure Active Directory topology
- Create and manage AD DS objects
- Create and configure Group Policy Objects (GPOs) in AD DS.
- Manage security in AD DS
Specifically the course covered
- Creating OUs, groups, users
- Querying based on attributes
- Performing bulk operations on a given set of users
- Sites and subnets
- FSMO roles
- AD Recycle Bin
- Fine Grained Password Policies
- Delegating rights
The course did not cover PowerShell, querying delegation of rights, and a few other useful topics, but then it is an introduction to intermediate course.
The lab
Microsoft gives directions on how to create a NATed Switch in Hyper-V using PowerShell, then gives the rest of the instructions as one would perform them in the GUI. Here at test.local we prefer PowerShell, like automation, and absolutely fell in love with Hyper-V and PowerShell Direct immediately after trying them out.
Hence we created and configured the VMs in PowerShell. We wrote a collection of functions and PS1s that spins up and configures the VMs, domain, etc given a Windows Server 2022 ISO from the Microsoft Evaluation Center and an answer file. We provide the answer file and everything but the ISO on our GitHub here.
The course itself was mostly just a refresher, but we learned and brushed up on a lot while creating the lab. If you have any suggestions, criticisms, or comments in general then feel free to leave them here or on GitHub. We are always open to feedback.
The assessment
One has two hours to complete the assessment, although experienced admins would likely finish in 30 to 45 minutes easily. I spent about 1 ¼ hours, but I used a mix of the GUI and PowerShell, wrote a quick & dirty ForEach loop, double checked my work, queried the delegation of rights, and wrote down the GUIDs for later reference.
The course only has you perform the delegation using the wizard in Active Directory Users & Computers (ADAC) and I wanted to confirm the specific GUID.
Microsoft gives you specific tasks to perform and puts them in business scenarios. The environment uses browser based VMs, much like EC Council iLabs. The environment was smooth and functional, my only complaint was that the VM window didn’t scale well to the browser. I recommend taking the assessment on the largest monitor you have.
You need a 70% or above to pass. Microsoft tabulates your results and gives you a score within minutes.
Looking back over the training, I set a GPO on the wrong OU according to Microsoft.
You get a nice credential that looks like this.
It’s a credential, not a certification, but it should still look good on a resume. The assessment is 100% hands on after all. I’ll list it on my LinkedIn along with certs.
Side note on Microsoft’s delegation of rights
We already had a Set-Acl example in our notes from our Dangerous Rights project and cheatsheet for delegating and querying the ExtendedRight for password resets. Some research was required though for the other right Microsoft wanted to delegate; requiring a user to change their password at next login. CW6 Google said it was GUID 60b10d64–0f1b-465f-8cc0-bef2de541343, however Microsoft used bf967a0a-0de6–11d0-a285–00aa003049e2 if you follow their GUI wizard example exactly.
Specifically they used ReadProperty & WriteProperty with GUID bf967a0a-0de6–11d0-a285–00aa003049e2 and of course ExtendedRight with GUID 00299570–246d-11d0-a768–00aa006e0529.
Confirm:
Invoke-Command -VMName Tailwind-DC1 {Import-Module ActiveDirectory ; Set-Location AD: ; (Get-Acl “ou=sydney,dc=tailwindtraders,dc=internal”).Access | Where-Object {$_.IdentityReference -like “*Sydney Administrators*”}} -Credential $DomainAdminCredObject
Summary
IMHO APL-1008 on Microsoft Learn was an excellent introduction to AD course. The assessment, or test if you prefer that verbiage, is 100% hands on. The whole thing is free. The lab can be performed, and automated, for free.
I highly recommend this course and assessment if you are new to AD, need something AD related on your resume, or just need a refresher.
References
GUIDs: https://www.adaxes.com/questions/1109/guid-for-the-user-cannot-change-password-property
Set-VMMemory: https://learn.microsoft.com/en-us/powershell/module/hyper-v/set-vmmemory?view=windowsserver2022-ps
Set-ADReplicationSiteLink: https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adreplicationsitelink?view=windowsserver2022-ps
Hyper-V & FSMO stuff: https://happycamper84.medium.com/ditching-broadcom-hyper-v-server-live-migrations-3b41cf2a8830
Windows Server 2022 answer file: https://github.com/ruzickap/packer-templates/blob/main/http/windows-2022/Autounattend.xml
