Enumeration with Active Directory Module
Import Module
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1Get current domain
Get-ADDomaiGet object of another domain
Get-ADDomain -Identity techcorp.localGet domain SID for the current domain
(Get-ADDomain).DomainSIDGet domain policy for the current domain
echo NoneGet domain policy for another domain
echo NoneGet domain controllers for the current domain
Get-ADDomainControllerGet domain controllers for another domain
Get-ADDomainController -DomainName techcorp.local -DiscoverGet a list of users in the current domain
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity studentuser1 -Properties *
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}Search for a particular string in a user's attributes
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,DescriptionGet a list of computers in the current domain
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Windows Server 2019 Standard*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *Get all the groups in the current domain
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *Get all groups containing the word "admin" in group name
Get-ADGroup -Filter 'Name -like "*admin*"' | select NameGet all the members of the Domain Admins group
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity 'Enterprise Admins' -Server techcorp.localGet the group membership for a user
Get-ADPrincipalGroupMembership -Identity studentuser1Get the group memership for a user recursively
function Get-ADPrincipalGroupMembershipRecursive ($SamAccountName)
{
$groups = @(Get-ADPrincipalGroupMembership -Identity $SamAccountName |
select -ExpandProperty distinguishedname)
$groups
if ($groups.count -gt 0){
foreach ($group in $groups){
Get-ADPrincipalGroupMembershipRecursive $group
}
}
}
Get-ADPrincipalGroupMembershipRecursive "studentuser19"Get all the local groups on a machine (needs administrator privs on nondc machines)
echo NoneGet members of all local groups on a machine (needs administrator privs on non-dc machines)
echo NoneGet members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)
echo NoneGet list of GPO in current domain
echo NoneGet GPO(s) which use Restricted Groups or groups.xml for interesting users
echo NoneGet users which are in a local group of a machine using GPO
echo NoneGet machines where the given user is member of a specific group
echo NoneGet OUs in a domain
Get-DomainOUGet GPO applied on an OU. Read GPOname from gplink attribute from Get-DomainOU
echo NoneGet users which are in a local group of a machine in any OU using GPO
echo NoneGet users which are in a local group of a machine in a particular OU using GPO
echo NoneThere is a bug in PowerView, otherwise the below command would work
echo NoneWe can also enumerate ACLs using the ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local').AccessGet a list of all domain trusts for the current domain
Get-ADTrust
Get-ADTrust -Identity techcorp.localGet details about the current forest
Get-ADForestGet all domains in the current forest
(Get-ADForest).DomainsGet all global catalogs for the current forest
Get-ADForest | select -ExpandProperty GlobalCatalogsMap trusts of a forest
Get-ADTrust -Filter 'intraForest -ne $True' -Server (Get-ADForest).NameKerberoastable users
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName