Enumeration Strategy in AD

Active Directory environments are large and complex. You can’t scan everything. You have a limited testing window, and you need to find the highest-impact paths first. Enumeration in an AD engagement is about prioritization, not completeness.

Here’s what a consultant prioritizes in the first hours of an internal AD assessment:

Domain Controller identification: Where are the DCs? What OS are they running? This is your first scan target.

User and group enumeration: Who are the Domain Admins? Are there nested groups with excessive privileges? Service accounts with SPNs set (Kerberoastable)?

Trust relationships: Are there domain or forest trusts? Trusts are lateral movement highways between environments.

Kerberos configuration: AS-REP roastable accounts, unconstrained delegation, Kerberoastable service accounts. These are the most common high-impact findings in AD assessments.

Group Policy Objects: GPOs can reveal credential storage, mapped drives with sensitive paths, and misconfigured security settings applied domain-wide.

Network shares and file servers: Accessible shares often contain credentials, configuration files, and sensitive business documents.

The key insight is that you don’t have to enumerate everything. You have to enumerate the right things first and follow the paths that lead to business-critical access.

You just got initial access to the Navigating Security Corp domain as a low-privilege user. You have a four-hour testing window. Rank these enumeration tasks by priority.