Enumeration with Powerview

Import Module

. C:\AD\Tools\PowerView.ps1

Get current domain

Get-Domain

Get object of another domain

Get-Domain -Domain techcorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain policy for another domain

(Get-DomainPolicyData -domain techcorp.local).systemaccess

Get domain controllers for the current domain

Get-DomainController

Get domain controllers for another domain

Get-DomainController -Domain techcorp.local

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity studentuser1
Get-DomainUser -Identity studentuser1 -Properties *
Get-DomainUser -Properties pwdlastset

Search for a particular string in a user's attributes

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "Windows Server 2019 Standard"
Get-DomainComputer -Ping

Get all the groups in the current domain

Get-DomainGroup | select Name
Get-DomainGroup -Domain techcorp.local

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Get the group membership for a user

Get-DomainGroup -UserName studentuser1

Get all the local groups on a machine (needs administrator privs on nondc machines)

Get-NetLocalGroup -ComputerName us-dc

Get members of all local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroupMember -ComputerName us-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroupMember -ComputerName us-dc -GroupName Administrators

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO -ComputerIdentity student1.us.techcorp.local

Get GPO(s) which use Restricted Groups or groups.xml for interesting users

Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity student1.us.techcorp.local
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity us-mgmt.us.techcorp.local

Get machines where the given user is member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity studentuser1 -Verbose

Get OUs in a domain

Get-DomainOU

Get computers in OU

(Get-DomainOU -Identity Students).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Get GPO applied on an OU. Read GPOname from gplink attribute from Get-DomainOU

Get-DomainGPO -Identity '{7162874B-E6F0-45AD-A3BF-0858DA4FA02F}'

Get users which are in a local group of a machine in any OU using GPO

(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping

Get users which are in a local group of a machine in a particular OU using GPO

(Get-DomainOU -Identity 'OU=Mgmt,DC=us,DC=techcorp,DC=local').distinguishedname | %{GetDomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping

There is a bug in PowerView, otherwise the below command would work

Get-DomainGPOComputerLocalGroupMapping -OUIdentity 'OU=Mgmt,DC=us,DC=techcorp,DC=local'

Get the ACLs associated with a specified object

Get-DomainObjectAcl -Identity studentuser1 -ResolveGUIDs

Get the ACLs associated with the specified LDAP path to be used for search

Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local" -ResolveGUIDs -Verbose

Search for interesting ACEs (use without GUIDs for faster result)

Find-InterestingDomainAcl -ResolveGUIDs

Get ACEs of identity towards other identity (managers has rights over machineadmins)

Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match 'managers'}

Get the ACLs associated with the specified path

Get-PathAcl -Path "\\us-dc\sysvol"

Get a list of all domain trusts for the current domain

Get-DomainTrust
Get-DomainTrust -Domain techcorp.local

Get external trusts

Get-ForestDomain -Verbose | Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'}

Get details about the current forest

Get-Forest

Get all domains in the current forest

Get-ForestDomain

Get all global catalogs for the current forest

Get-ForestGlobalCatalog

Map trusts of a forest

Get-ForestTrust

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

INFO

This function queries the DC of the current or provided domain for a list of computers (Get-DomainComputer) and then use multi-threaded Test-AdminAccess on each machine.

This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases where ports used by Find-LocalAdminAccess (RPC and SMB) are blocked.

See Find-WMILocalAdminAccess.ps1 and FindPSRemotingLocalAdminAccess.ps1

Find computers where a domain admin (or specified user/group) has sessions:

Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "StudentUsers"

INFO

This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-DomainGroupMember, gets a list of computers (Get-DomainComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.

Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available

Find-DomainUserLocation -Stealth

Kerberoastable users

Get-DomainUser -SPN