To check modules already loaded
Get-ModuleTo import active directory module
Import-Module ActiveDirectoryDomain info
Get-ADDomainTo get user info
{% code title="Kerberoastable users" overflow="wrap" %}
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName{% endcode %}
To get all groups:
Get-ADGroup -Filter * | select nameDetailed group info:
Get-ADGroup -Identity "Backup Operators"To get group members:
Get-ADGroupMember -Identity "Backup Operators"| Command | Description |
|---|---|
Export-PowerViewCSV |
Append results to a CSV file |
ConvertTo-SID |
Convert a User or group name to its SID value |
Get-DomainSPNTicket |
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account |
| Domain/LDAP Functions: | |
Get-Domain |
Will return the AD object for the current (or specified) domain |
Get-DomainController |
Return a list of the Domain Controllers for the specified domain |
Get-DomainUser |
Will return all users or specific user objects in AD |
Get-DomainComputer |
Will return all computers or specific computer objects in AD |
Get-DomainGroup |
Will return all groups or specific group objects in AD |
Get-DomainOU |
Search for all or specific OU objects in AD |
Find-InterestingDomainAcl |
Finds object ACLs in the domain with modification rights set to non-built in objects |
Get-DomainGroupMember |
Will return the members of a specific domain group |
Get-DomainFileServer |
Returns a list of servers likely functioning as file servers |
Get-DomainDFSShare |
Returns a list of all distributed file systems for the current (or specified) domain |
| GPO Functions: | |
Get-DomainGPO |
Will return all GPOs or specific GPO objects in AD |
Get-DomainPolicy |
Returns the default domain policy or the domain controller policy for the current domain |
| Computer Enumeration Functions: | |
Get-NetLocalGroup |
Enumerates local groups on the local or a remote machine |
Get-NetLocalGroupMember |
Enumerates members of a specific local group |
Get-NetShare |
Returns open shares on the local (or a remote) machine |
Get-NetSession |
Will return session information for the local (or a remote) machine |
Test-AdminAccess |
Tests if the current user has administrative access to the local (or a remote) machine |
| Threaded 'Meta'-Functions: | |
Find-DomainUserLocation |
Finds machines where specific users are logged in |
Find-DomainShare |
Finds reachable shares on domain machines |
Find-InterestingDomainShareFile |
Searches for files matching specific criteria on readable shares in the domain |
Find-LocalAdminAccess |
Find machines on the local domain where the current user has local administrator access |
| Domain Trust Functions: | |
Get-DomainTrust |
Returns domain trusts for the current domain or a specified domain |
Get-ForestTrust |
Returns all forest trusts for the current forest or a specified forest |
Get-DomainForeignUser |
Enumerates users who are in groups outside of the user's domain |
Get-DomainForeignGroupMember |
Enumerates groups with users outside of the group's domain and returns each foreign member |
Get-DomainTrustMapping |
Will enumerate all trusts for the current domain and any others seen. |
{% code overflow="wrap" %}
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
{% endcode %}