# Role Descriptions for GOAD Collection
# This file maps each role to its description for README updates

acl|Configures Active Directory Access Control Lists (ACLs) and Access Control Entries (ACEs) to set up permission delegation scenarios and security testing environments. Supports standard AD rights (GenericAll, WriteDacl, etc.) and extended rights (User-Force-Change-Password, Self-Membership, etc.).

ad|Manages Active Directory organizational structure by creating organizational units (OUs), groups (domain local, global, universal), users, and group memberships. Handles group management including managed_by attributes and member assignments.

adcs|Installs and configures Active Directory Certificate Services (ADCS) as an Enterprise Root CA with RSA 2048-bit keys and SHA256 hashing. Optionally enables Web Enrollment for certificate request functionality (ESC8 scenario).

adcs_templates|Deploys vulnerable ADCS certificate templates (ESC1, ESC2, ESC3, ESC3-CRA, ESC4, ESC9, ESC13) for security testing and penetration testing scenarios. Installs the ADCSTemplate PowerShell module and publishes templates to Domain Users.

add_dns_record|Creates DNS records (A, CNAME, PTR, etc.) in Active Directory-integrated DNS zones. Simple utility role for DNS record management.

child_domain|Provisions and configures a child domain within an existing Active Directory forest. Handles domain promotion, DNS configuration, replication source DC setup, and post-installation DNS forwarder configuration.

common|Applies common Windows server baseline configurations including DNS client settings, proxy configuration, Remote Desktop enablement, firewall rules for RDP, and static route creation. Typically run early in deployment.

commonwkstn|Applies common workstation baseline configurations for Windows client machines in an Active Directory environment.

dc_dns_conditional_forwarder|Creates DNS conditional forwarders on domain controllers to enable name resolution between different domains in a multi-domain forest environment. Automatically configures forwarders for cross-domain communication.

dhcp|Installs and configures Windows DHCP server with scope definitions, lease duration, DNS server options, and default gateway configuration. Optionally supports PXE boot configuration for SCCM/WDS deployments.

disable_user|Disables specified Active Directory user accounts. Simple administrative utility role.

dns_conditional_forwarder|Creates DNS conditional forwarders for external domain name resolution. Similar to dc_dns_conditional_forwarder but for non-AD integrated scenarios.

domain_controller|Promotes a Windows server to a domain controller and creates a new Active Directory forest. Configures DNS, disables NAT adapter registration, sets DNS forwarders, and ensures Administrator is in Enterprise and Domain Admins groups.

domain_controller_slave|Promotes a Windows server to an additional (replica) domain controller in an existing domain. Configures DNS and replicates AD database from primary DC.

elk|Installs and configures the ELK Stack (Elasticsearch, Logstash, Kibana) on Linux for centralized log collection, analysis, and visualization in a security lab environment.

enable_user|Enables specified Active Directory user accounts. Simple administrative utility role.

fix_dns|Repairs or reconfigures DNS settings on Windows systems. Typically used for troubleshooting connectivity issues.

gmsa|Creates Group Managed Service Accounts (gMSA) in Active Directory with KDS root key configuration, DNS host names, Service Principal Names (SPNs), and principal assignment to authorized hosts.

gmsa_hosts|Configures host computers to retrieve and use Group Managed Service Account (gMSA) credentials. Associates hosts with gMSA principals.

groups_domains|Creates and manages cross-domain group relationships and memberships in multi-domain Active Directory forests.

iis|Installs and configures Internet Information Services (IIS) web server with management tools, IIS 6 compatibility features, and default website configuration. Sets up required permissions and directory structure.

laps_dc|Installs Local Administrator Password Solution (LAPS) on domain controllers and moves managed servers to appropriate OUs for LAPS policy application.

laps_permissions|Configures Active Directory permissions required for LAPS operation, including rights to read and write LAPS password attributes.

laps_server|Installs LAPS client components on member servers and workstations to enable automated local administrator password management.

laps_verify|Verifies LAPS installation and configuration, checking that passwords are being properly managed and rotated.

linux_add_linux_to_domain|Joins Linux systems to an Active Directory domain using SSSD, Kerberos, and Samba. Configures authentication and authorization for domain users on Linux.

linux_guacamole|Installs and configures Apache Guacamole remote desktop gateway on Linux for web-based access to lab systems.

linux_guacamole_create_connections|Creates RDP and SSH connection definitions in Guacamole for accessing Windows and Linux systems in the lab environment.

linux_proxy_server|Configures a Linux system as an HTTP/HTTPS proxy server for network traffic routing and inspection.

linux_tomcat|Installs and configures Apache Tomcat application server on Linux.

localusers|Creates local Windows user accounts on standalone or member servers (non-domain accounts).

logs_windows|Configures Windows Event Log forwarding and collection for centralized security monitoring with ELK or other SIEM solutions.

member_server|Joins a Windows server to an Active Directory domain as a member server. Configures DNS, network adapter priority, and installs File Server role.

move_to_ou|Moves Active Directory computer or user objects to specified Organizational Units (OUs) for policy application and organization.

mssql|Installs and configures Microsoft SQL Server (2019 or 2022) with customized service accounts, authentication modes, firewall rules, sysadmin accounts, and IMPERSONATE permissions for security testing scenarios.

mssql_link|Creates SQL Server linked server connections for cross-database and cross-server queries, commonly used in trust exploitation scenarios.

mssql_reporting|Installs and configures SQL Server Reporting Services (SSRS) for report generation and business intelligence.

mssql_ssms|Installs SQL Server Management Studio (SSMS) for database administration and development.

onlyusers|Creates only Active Directory user accounts without groups or OUs. Minimal user provisioning role.

parent_child_dns|Configures DNS delegation and forwarders between parent and child domains in a multi-domain Active Directory forest.

password_policy|Configures Active Directory default domain password policy including lockout threshold, minimum password length, lockout duration, complexity requirements, and observation window settings.

ps|Installs PowerShell modules and configures PowerShell execution policies. May include security-related PowerShell configurations.

sccm_config_accounts|Configures service accounts and permissions required for System Center Configuration Manager (SCCM/MECM) operation.

sccm_config_boundary|Creates and configures SCCM network boundaries and boundary groups for client site assignment and content location.

sccm_config_client_install|Configures SCCM client installation settings and deployment methods.

sccm_config_client_push|Enables and configures SCCM client push installation for automatic client deployment to discovered systems.

sccm_config_discovery|Configures SCCM discovery methods (Active Directory System Discovery, User Discovery, Network Discovery) for finding computers and users.

sccm_config_naa|Configures SCCM Network Access Account (NAA) for client access to distribution points during OS deployment.

sccm_config_pxe|Configures PXE service point for network-based OS deployment in SCCM.

sccm_config_users|Imports Active Directory users into SCCM and configures user collections.

sccm_install_adk|Installs Windows Assessment and Deployment Kit (ADK) required for SCCM OS deployment functionality.

sccm_install_iis|Installs and configures IIS with required components for SCCM management point and distribution point roles.

sccm_install_mecm|Installs System Center Configuration Manager (Microsoft Endpoint Configuration Manager) primary site server with all required prerequisites and site system roles.

sccm_install_prerequistes|Installs SCCM prerequisites including .NET Framework, Visual C++ redistributables, and Windows features required for SCCM installation.

sccm_install_wsus|Installs and configures Windows Server Update Services (WSUS) for SCCM software update management.

sccm_pxe|Additional PXE configuration tasks for SCCM OS deployment scenarios.

security_account_is_sensitive|Marks Active Directory accounts as "sensitive and cannot be delegated" to prevent Kerberos delegation attacks.

security_asr|Configures Windows Defender Attack Surface Reduction (ASR) rules to harden systems against common attack techniques.

security_enable_run_as_ppl|Enables LSA Protection (RunAsPPL) to prevent credential theft from LSASS memory.

security_powershell_restrict|Configures PowerShell execution policies and logging restrictions to enhance security posture.

settings_adjust_rights|Modifies Windows user rights assignments (SeServiceLogonRight, SeTcbPrivilege, etc.) for service accounts and users.

settings_admin_password|Changes local Administrator account password on Windows systems.

settings_copy_files|Copies files to Windows systems for configuration or deployment purposes.

settings_disable_nat_adapter|Disables the NAT network adapter on Windows systems to prevent DNS/routing conflicts.

settings_enable_nat_adapter|Enables the NAT network adapter on Windows systems for internet connectivity.

settings_gpmc|Installs Group Policy Management Console (GPMC) for GPO administration.

settings_gpo_remove|Removes specified Group Policy Objects from Active Directory.

settings_hostname|Changes the Windows hostname/computer name and reboots if required.

settings_keyboard|Configures keyboard layout and input language settings on Windows.

settings_no_updates|Disables Windows Update and automatic updates on lab systems to maintain consistent state.

settings_user_rights|Configures advanced user rights and privileges beyond standard role assignments.

settings_windows_defender|Configures Windows Defender Antivirus settings, exclusions, and real-time protection features.

sync_domains|Synchronizes time and replication between domain controllers in multi-domain environments.

trusts|Creates bidirectional forest trusts between separate Active Directory forests, enabling cross-forest authentication and resource access.

vulns_acls|Intentionally misconfigures Active Directory ACLs to create vulnerable permission scenarios for penetration testing (e.g., GenericAll, WriteDacl abuse paths).

vulns_adcs_esc10_case1|Configures ADCS Weak Certificate Mappings vulnerability (ESC10 Case 1) for penetration testing.

vulns_adcs_esc10_case2|Configures ADCS Weak Certificate Mappings vulnerability (ESC10 Case 2) for penetration testing.

vulns_adcs_esc11|Configures ADCS vulnerability ESC11 (IF_ENFORCEENCRYPTICERTREQUEST bypass) for penetration testing.

vulns_adcs_esc13|Configures ADCS vulnerability ESC13 (Issuance Policy with Group Link) for penetration testing.

vulns_adcs_esc15|Configures ADCS vulnerability ESC15 for penetration testing.

vulns_adcs_esc6|Enables the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on Certificate Authority to create ESC6 vulnerability allowing SAN specification in certificate requests.

vulns_adcs_esc7|Configures ADCS vulnerability ESC7 (Vulnerable Certificate Authority Access Control) for penetration testing.

vulns_adcs_templates|Creates intentionally vulnerable ADCS certificate templates beyond the standard set, for advanced security testing scenarios.

vulns_administrator_folder|Creates folders with weak permissions in Administrator profile or system directories for privilege escalation testing.

vulns_autologon|Configures Windows AutoLogon with stored credentials in registry for credential harvesting scenarios.

vulns_credentials|Stores domain credentials in Windows Credential Manager for credential theft and dumping exercises.

vulns_directory|Creates directory structures with intentionally weak NTFS permissions for privilege escalation testing.

vulns_disable_firewall|Disables Windows Firewall to create vulnerable network exposure scenarios.

vulns_enable_credssp_client|Enables CredSSP client role on Windows systems, creating potential for credential relay attacks.

vulns_enable_credssp_server|Enables CredSSP server role on Windows systems, allowing authentication with credential delegation.

vulns_enable_llmnr|Enables Link-Local Multicast Name Resolution (LLMNR) for name poisoning and credential capture attacks.

vulns_enable_nbt_ns|Enables NetBIOS Name Service (NBT-NS) for name poisoning attacks and credential interception.

vulns_files|Places files with sensitive information or weak permissions in accessible locations for discovery exercises.

vulns_mssql|Configures SQL Server with intentional security weaknesses including excessive permissions, weak authentication, and vulnerable configurations.

vulns_ntlmdowngrade|Configures systems to allow NTLMv1 authentication for downgrade attacks and credential cracking.

vulns_openshares|Creates network shares with overly permissive access controls for lateral movement and data access scenarios.

vulns_permissions|Configures intentionally weak NTFS and share permissions for privilege escalation testing.

vulns_schedule|Creates scheduled tasks with weak permissions or credential storage for privilege escalation.

vulns_shares|Creates additional network shares with various permission configurations for security testing.

vulns_smbv1|Enables SMBv1 protocol despite known security vulnerabilities for vulnerability scanning and exploitation exercises.

webdav|Installs and configures WebDAV server functionality for web-based file access and potential exploitation scenarios.
