4 minute read

Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.


Get Current Domain

Get-NetDomain // PowerView.ps1

Get-ADDomain // ADModule

Get Object of another Domain

Get-NetDomain -Domain <target-domain>

Get ADDomain -Identity <target-domain>

Get Domain SID for the current Domain



Get Domain Policy for the current Domain


(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos Policy" 

Get Domain Policy for another Domain

(Get-DomainPolicy -domain <target-domain>)."system access" // ADModule

Get Domain Controllers for the current Domain



Get Domain Controllers for another Domain

Get-NetDomainController -Domain <target-domain>

Get-ADDomainController -DomainName <target-domain> -Discover

Get list of users in the current Domain

Get-NetUser | select cn
Get-NetUser -Username <username>

Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * -Properties * | select Name 
Get-ADUser -Identity <username>
Get-ADUser -Identity <username> -Properties * 

Get list of all properties for users in the current Domain

Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount     // Small logon account is not actively used or it is a decoy account 
Get-UserProperty -Properties badpwdcount    // These properties can be used to identify a honeyuser/decoy user from a legit one 

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset}}

Search for particular string in a user’s attributes

Find-UserField -SearchField Description -SearchTerm "built"

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description 

Get a list of computers in the current Domain

Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-ADComputer -Filter *
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties Operating System | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_DNSHostName}
Get-ADComputer -Filter * -Properties * 

Get all the groups in the current Domain

Get-NetGroup -Domain <target-domain>
Get-NetGroup -FullData

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

Get all groups containing the word ‘admin’ in the Group name

Get-NetGroup -GroupName *admin*
Get-NetGroup -GroupName *admin* -Domain <target-domain>
Get-NetGroup -FullData
Get-NetGroup "admin"
Get-NetGroup 'Domain Admins'
Get-NetGroup 'Domain Admins' -FullData

Get-ADGroup -Filter *
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all members of the Domain Admin’s Group

Get-NetGroupMember -GroupName 'Domain Admins'
Get-NetGroupMember -GroupName 'Enterprise Admins' -Domain <domain>
Get-NetGroupMember -GroupName 'Domain Admins' -Recurse
Get-NetGRoupMember -GroupName 'Administrators' -Recurse

Get-ADGroupMember -Identity 'Domain Admins' -Recursive 

Get all Group Memberships for a user

Get-NetGroup -UserName "<username>"

Get-ADPrincipalGroupMembership -Identity <username>

List all the Local Groups on a machine

Get-NetLocalGroup -ComputerName <computer-name>   
Get-NetLocalGroup -ComputerName <computer-name> -ListGroups  

Get members of all the Local Groups on a machine

// needs admin privs 
Get-NetLocalGroup -ComputerName <computer> -Recurse

Get actively logged on users on a computer

// needs local admin rights on target
Get-NetLoggedon -ComputerName <computer-name>

Get locally logged on users on a computer

// needs remote registry on target/local admin rights
Get-LoggedonLocal -ComputerName <computer-name>

Get last logged on users on a computer

// needs admin rights and remote registry on target 
Get-LastLoggedOn -ComputerName <computer-name>

Find shares on hosts in current Domain

Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -Exclude IPC

Find sensitive files on computers in the Domain

Invoke-FileFinder -Verbose  // Need read/write privs on a share

Get all fileservers of the Domain

Get-NetFileServer -Verbose   // Looks for high value targets - where lots of users connect/authenticate

Get list of GPOs in current Domain

Get-NETGPO | select displayname     // Default domain policy & default domain controllers policy - same in all domains
Get-NETGPO -ComputerName <computer-name>

gpresult /R /V 

Get-GPO -All      // GroupPolicy module
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\users\administrator\report.html    // Provides RSoP

Get GPO(s) which use Restricted Groups or groups.xml for interesting users


Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -ComputerName <computer-name>

Get machines where the given user is a member of a specific group

Find-GPOLocation -Username <username> -Verbose 

Get OUs in a Domain

Get-NetOU -FullData

Get-ADOrganizationalUnit -Filter * -Properties *

Get GPO applied on an OU

//Read GPOName from gplink attribute from Get-NetOU^
Get-NetGPO -GPOname "{ab30...}"

Get-GPO -Guid ab30... 

Get ACLs associated with the specified object

Get-ObjectAcl -SamAccountName <student1> -ResolveGUIDS

Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose

Enumerate ACLs using ADModule but without resolving GUIDs

(Get-Acl 'AD:\CN=Administrator, CN=Users, DC=<>, DC=<>, DC=<>').Access

Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins, CN=Users, DC=<>, DC=<>, DC=<>" -ResolveGUIDs -Verbose

Search for interesting ACEs - write/modify rights etc.

Invoke-ACLScanner -ResolveGUIDs

Get ACLs associated with the specified path

Get-PathAcl -Path "\\<path>\"

Get a list of all Domain Trusts for the current Domain

Get-DomainTrust -API
Get-NetDomainTrust -Domain <domain>

Get-ADTrust -Filter *  
Get-ADTrust -Identity <domain>

Get details about the current Forest

Get-NetForest -Forest <forest-name>

Get-ADForest -Identity <forest-name>

Get all Domains in the current Forest

Get-NetForestDomain -Forest <forest-name>


Get all Global Catalogs for the current Forest

Get-NetForestCatalog -Forest <forest-name>

Get-ADForest | select -ExpandProperty GlobalCatalogs

Map trusts of a Forest

Get-NetForestTrust -Forest <forest-name>

Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Find all machines on current Domain where current user has local admin access

Find-LocalAdminAccess -Verbose  

Find computers where a Domain admin (or specified user/group) has sessions

Invoke-UserHunter -GroupName "RDPUsers"

Confirm admin access

Invoke-UserHunter -CheckAccess 

Find all computers where a domain admin is logged-in

Invoke-UserHunter -Stealth