auto/attack
>

What is Domain Admin?

Guide

Domain Admin is the highest level of control in a Windows Active Directory domain — membership in this group grants administrative rights over every computer, account, and policy the domain holds. Reaching it means an attacker can read any data, impersonate any user, and persist almost anywhere. It is the objective that decides whether a network is truly compromised.

What Domain Admin controls

Active Directory is the directory that runs most corporate Windows networks: it holds the accounts, the group memberships, and the policies that decide who can do what. A Domain Admin sits at the top of it. With that privilege an attacker can reset passwords, push software to every machine, read the credential database, and forge access that survives a cleanup.

How attackers reach Domain Admin

Almost no attacker starts with it. They start with a foothold — a cracked ticket, a web-application flaw, a reused password — and climb. The path usually runs through the misconfigurations every directory accumulates: a password left in an account description, a service account reused across hosts, a certificate template that hands out more than it should, a trust that links one domain’s admins to the next. Each step is small; chained together, they reach the top. Finding that chain before an attacker does is the work of Active Directory penetration testing. See it walked end to end in Active Directory takeover.

Why Domain Admin is the bar for proof

Domain Admin is what turns a list of weaknesses into a real breach. A test that stops at “this host is exploitable” leaves the important question unanswered; a test that reaches Domain Admin has answered it. That is why it is the objective AI penetration testing is measured against.

AutoAttack and Domain Admin

Set the goal to Domain Admin and AutoAttack starts with nothing — no credentials, no map — then walks the full path to every domain in the forest, proving each step. @learnGoadResult() Black-box with no credentials, it took all three domains and recovered 124 credentials along the way. See the benchmark.