4 minute read

Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.


[adsisearcher] is a Windows PowerShell type accelerator for seaching Active Directory Domain Services, allowing PowerShell to access the system.directoryservices.directorysearcher .NET class with ease.

The DirectorySearcher class as described in the Microsoft documentation:

Use a DirectorySearcher object to search and perform queries against an Active Directory Domain Services hierarchy using Lightweight Directory Access Protocol (LDAP). LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports directory searching. An administrator can make, alter, and delete objects that are found in the hierarchy.

List All Users


List Admins


List Info of Specific User


View Users with Description Field

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description } 

Get Users

$ADSISearcher = [ADSISearcher]'(objectclass=user)'
$ADSISearcher.SearchRoot = [ADSI]"LDAP://OU=,OU=,DC=,DC="

Search Single User


(New-Object adsisearcher((New-Object adsi("LDAP://example.com","domain\username","password")),"(info=*pass*)")).FindAll()

Search for Keyword

([adsisearcher]"(info=*pass*)").FindAll() | %{ $_.GetDirectoryEntry() } | Select-Object sAMAccountName, info


Get DC Info

nslookup can be used to get basic information from a DC like the hostname and IP address:

DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown

> set type=all
> _ldap._tcp.dc._msdcs.htb.local
Server:  UnKnown

_ldap._tcp.dc._msdcs.htb.local  SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC.htb.local
DC.htb.local    internet address =

The domain is appended to the end of the _ldap._tcp.dc._msdcs. string. e.g. In this case the domain is htb.local so as one line you can use the following command and get the same output as shown above:

C:\> nslookup -querytype=all _ldap._tcp.dc._msdcs.htb.local


Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object

For more information click here

Get Users

> dsquery user -name *

Get User Group Memberships

> dsquery user -samid "nigel" | dsget user -memberof -expand
"CN=Remote Management Users,CN=Builtin,DC=MEGACORP,DC=LOCAL"

Get Trusted Domains

> dsquery * -filter "(objectClass=trustedDomain)" -attr *
objectClass: top
objectClass: leaf
objectClass: trustedDomain
distinguishedName: <REDACTED>
instanceType: 4
whenCreated: 01/05/2020 16:27:58
whenChanged: 03/06/2020 13:34:11
uSNCreated: 21252
uSNChanged: 131946
showInAdvancedViewOnly: TRUE
name: <REDACTED>
securityIdentifier: <REDACTED> 
trustDirection: 2
trustPartner: <REDACTED>
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: <REDACTED>
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,<REDACTED>
isCriticalSystemObject: TRUE
dSCorePropagationData: 01/01/1601 00:00:00
msDS-TrustForestTrustInfo: <REDACTED>

Find DCs in Forest

> dsquery server -Forest

Find Users with Sensitive Descriptions

This is an interesting parameter to play with as some users/administrators will configure accounts with the password in the description because as far as they’re aware the description is not visible to anyone.

By leveraging wildcards you can create some interesting search queries that may present you with some low hanging fruit.

> dsquery user -desc *pass*
> dsquery user -desc *cred*
> dsquery user -desc *key*

Worth noting that the dsquery computer and server commands both support the -desc parameter.


You can use nltest to:

  • Get a list of domain controllers
  • Force remote shutdown
  • Query the status of a trust
  • Test trust relationships and the state of domain controller replication in a Windows domain
  • Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

For full list of parameters click here.

Get Trusted Domains

> nltest /trusted_domains
List of domain trusts:
    0: <REDACTED> (NT 5) (Direct Outbound) ( Attr: foresttrans )
    1: <REDACTED> (NT 5) (Forest Tree Root) (Primary Domain) (Native)

Get Parent Domain

> nltest /parentdomain

PowerShell and .NET

Get Domain Controllers


Get Current Domain


Get Domain Trusts


Get Forest


Get Forest Trusts


Get Local SQL Server


WMI Cmdlets

Get Local Route Table

Get-WmiObject -Class Win32_IP4RouteTable
Get-WmiObject -Class Win32_IP4RouteTable | select description, nexthop

Get Local Users

Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select caption,SID,name

Get Local Groups

Get-WmiObject -Class Win32_Group

Get Current Domain

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select -ExpandProperty ds_dc
(Get-WmiObject -Class Win32_ComputerSystem).Domain

Get Current Domain Policy

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select DS_lockoutDuration, DS_lockoutObservationWindows, DS_lockoutThreshold, DS_maxPwdAge, DS_minPwdAge, DS_minPwdLength, DS_pwdHistoryLength, DS_pwdProperties 

Get Domain Controller

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480}
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480} | select ds_cn 

Get Domain Users

Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select name
Get-WmiObject -Class Win32_UserAccount -Filter "Domain = 'targetdomain'"

Get Domain Groups

Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_GroupInDomain | fl *
Get-WmiObject -Class Win32_GroupInDomain | Foreach-Object {[wmi]$_.PartComponent}
Get-WmiObject -Class Win32_GroupInDomain | where-object {$_.GroupComponent -match domain} | foreach-object {[wmi]$_.PartComponent} 

Get Domain Admins Group Members

Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "Domain Admins"} | foreach-object {[wmi]$_.PartComponent} 
Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "domain" -and $_.GroupComponent -match "Domain Admins" | foreach-object {[wmi]$_.PartComponent} 

Get User Group Memberships

Get-WmiObject -Class Win32_GroupUser | where-object {$_.PartComponent -match "nigel"} | foreach-object {[wmi]$_.GroupComponent} 

Get Domain Computers

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
(Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_ds_cn -eq "DC-Name"}).Properties | foreach-object {If($_.value -AND $_.name -notmatch "__"){@{$($_.name) = $($_.value)}}}