# Enumeration
## Domain Information
{% tabs %}
{% tab title="PowerShell" %}
```powershell
$ADCLass = [System.DirectoryServices.ActiveDirectory.Domain];$ADClass::GetCurrentDomain();
Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_dc, ds_distinguishedname, pscomputername
#get DC
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {$_.ds_useraccountcontrol -match 532480} | select ds_cn, ds_dnshostname, ds_operatingsystem
#get servers
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {$_.ds_useraccountcontrol -match 4096} | select ds_cn, ds_dnshostname, ds_operatingsystem
```
{% endtab %}
{% tab title="PowerView" %}
Get-NetDomain
Get-NetDomain -Domain <domain>
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
Get-NetDomainController
#Trust policies
Get-NetDomainTrust
Get-NetDomainTrust -Domain <domain>
#Forest
Get-NetForest
Get-NetForest -Forest <forest domain>
Get-NetForestDomain
Get-NetForestDomain -Forest <forest domain>
Get-NetForestCatalog
Get-NetForestCatalog -Forest <forest domain>
Get-NetForestTrust
Get-NetForestTrust -Forest <forest domain>
{% endtab %}
{% tab title="LDAP Module" %}
#Get-ADDomain
Get-ADDomain -Identity <domain>
(Get-ADDomain).DomainSid
Get-ADDomainController
#Trust policies
Get-ADTrust
Get-ADTrust -Identity <domain>
#Forest
Get-ADForest
Get-ADForest -Identity <forest domain>
(Get-ADForest).Domains
Get-ADForest | select -ExpandProperty GlobalCatalogs
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
{% endtab %}
{% endtabs %}
## Machines
{% tabs %}
{% tab title="PowerShell" %}
```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer
```
{% endtab %}
{% tab title="PowerView" %}
```powershell
Get-NetComputer
Get-NetComputer -OperatingSystem "**"
Get-NetComputer -Ping
Get-NetComputer -FullData
```
Find shares and files
```powershell
Invoke-ShareFinder -Verbose
Invoke-FileFinder -Verbose //show files from readable shares
Get-NetFileServer
```
{% endtab %}
{% tab title="LDAP Module" %}
```powershell
Get-ADComputer -Filter * -Properties name | select name
Get-ADComputer -Filter 'OperatingSystem like "**"' -Properties * | select name.OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
```
{% endtab %}
{% endtabs %}
## User Information
{% tabs %}
{% tab title="CMD" %}
```batch
net user /domain #list all
net user /domain #get info on the user
net accounts /domain #get info on the account policies
```
{% endtab %}
{% tab title="PowerShell" %}
```powershell
Get-WmiObject -Class win32_useraccount
Get-WmiObject -Class win32_useraccount | select name, domain, accounttype
```
List of machines where the current user is administrator
```powershell
$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
foreach ($pc in $pcs) {
(Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue).name
}
```
{% endtab %}
{% tab title="PowerView" %}
```powershell
Get-NetUser
Get-NetUser -Username
Get-UserProperty #List of properties
Get-UserProperty -Properties #value of property values for all users
Get-UserProperty -Properties description #might contain credentials
```
Search a string in user properties
```powershell
Find-userField -SearchField -SearchTerm ""
```
Get logged users
```powershell
Get-NetLoggedOn -ComputerName #requires local admin
Get-LoggedOnLocal -ComputerName
Get-LastLoggedOn -ComputerName #requires local admin
Get-NetSession -ComputerName #summary of users and concurrent sessions
```
User Hunting
```powershell
Find-LocalAdminAccess -Verbose //find all machines where current user is admin
Invoke-CheckLocalAdminAccess //check if user has admin privilege on given machine
Invoke-UserHunter //find machines where current user has sessions
Invoke-UserHunter -GroupName "RDPUsers" //find machines where user can RDP to
Invoke-UserHunter -CheckAccess //check for admin access
```
{% endtab %}
{% tab title="LDAP Module" %}
```powershell
Get-ADUser -Filter * #default properties
Get-ADUser -Filter * -Properties * #all properties
Get-ADUser -Filter * -Properties description #description might contain credentials
Get-ADUser -Identity -Properties *
#List of properties
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select name
#If the machine we are running the query from is not part of a domain we need to specify the DC to query
Get-ADUser -Identity -Server -Properties *
Get-ADUser -Filter 'Name -like ""' -Server -Properties *
```
Search a string in user properties
```powershell
Get-ADUser -Filter ' like '** -Properties * | select name,
```
{% endtab %}
{% endtabs %}
## Groups
{% tabs %}
{% tab title="CMD" %}
```batch
net group /domain //list all
net group /domain //get info on group
```
{% endtab %}
{% tab title="PowerShell" %}
```powershell
Get-WmiObject -Class win32_groupindomain | foreach {[wmi]$_.partcomponent}
```
Users in group
```powershell
Get-WmiObject -Class win32_groupuser | where {$_.groupcomponent -match ''} | foreach {[wmi]$_.partcomponent}
```
Groups of user
```powershell
Get-WmiObject -Class win32_groupuser | where {$_.partcomponent -match ''} | foreach {[wmi]$_.groupcomponent}
```
{% endtab %}
{% tab title="PowerView" %}
```powershell
Get-NetGroup
Get-NetGroup -Domain
Get-NetGroup -FullData
Get-NetGroup **
```
Users in group
```powershell
Get-NetGroupMember -GroupName -Recurse
```
Groups of user
```powershell
Get-NetGroup -Username
```
List all groups on a machine. Requires administrative privileges or the machine has to be a domain controller
```powershell
Get-NetLocalGroup -ComputerName -ListGroups
Get-NetLocalGroup -ComputerName -Recurse
```
{% endtab %}
{% tab title="LDAP Module" %}
```powershell
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -eq ""' -Properties *
Get-ADGroup -Filter 'Name -like "**"' -Properties *
```
Users in group
```powershell
Get-ADGroupMember -Identity -Recursive
```
Groups of user
```powershell
Get-ADPrincipalGroupMembership -identity
```
{% endtab %}
{% endtabs %}
## Group Policies (GPO)
{% tabs %}
{% tab title="PowerShell" %}
```powershell
gpresult /RV #get set of policies applied on current machine
```
{% endtab %}
{% tab title="PowerView" %}
```powershell
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName
Get-NetGPOGroup #GPOs for restricted groups or users
```
Users under the machine's group policy
```powershell
Find-GPOComputerAdmin -ComputerName //find users under the machine's GPO
Find-GPOLocation -UserName -Verbose //find machines that apply GPs to user
```
Organization Units
```powershell
Get-NetOU -FullData
Get-NetOU -FullData | select displayname,gplink //get GPO name from gplink attr
Get-NetGPO -GPOName "{}" //GPOs applied to OU
```
{% endtab %}
{% tab title="LDAP Module" %}
list GPO
Get-GPO -All
Get-GPResultantsetOfPolicy -ReportType Html -Path <output path>
get details of GPO
```powershell
Get-ADOrganizationalUnit -Filter * -Properties *
Get-GPO -Guid
```
{% endtab %}
{% endtabs %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://security-notes.gitbook.io/security-notes/active-directory/enumeration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.