Users and Computers

ADmodule - works in CLM and is MS signed

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

Get current domain

Get-Domain (PowerView)
Get-ADDomain (ActiveDirectory Module)

Get object of another domain

Get-Domain -Domain moneycorp.local
Get-ADDomain -Identity moneycorp.local

Get domain SID for the current domain

Get-DomainSID
(Get-ADDomain).DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain controllers for the current domain

Get-DomainController
Get-ADDomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local
Get-ADDomainController -DomainName moneycorp.local -
	Discover

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity student1
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

Get list of all properties for users in the current domain

Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -
	MemberType *Property | select Name
	Get-ADUser -Filter * -Properties * | select
	name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset
	)}}

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -
	Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
	Connection -Count 1 -ComputerName $_.DNSHostName}

Get all the groups in the current domain

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get the group membership for a user:

Get-DomainGroup -UserName "student1"
Get-ADPrincipalGroupMembership -Identity student1

List all the local groups on a machine (needs administrator privs on non-dc machines) :

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) :

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName
	Administrators

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName dcorp-adminsrv

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

PreviousLateral Movement NextACLs

Last updated 1 year ago