Powershell Domain Enumeration
Here are some commands for Powershell to do domain enumeration in an AD environment, these are all of my personal notes from a course I'm taking
Get current domain
Get-ADDomain
Get object from another domain
Get-ADDomain -Identity <insert target domain>
Get domain controllers for current domain
Get-ADDomainController
Get domain controller for another domain
Get-ADDomainController -DomainName <insert target domain> -Discover
Get a list of users in the current domain
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <insert user> -Properties *
Get list of all properties for users in the current domain
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType
Get-ADUser -Filter * -Properties * | select Name, @{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Search for a particular string in a user's attributes
Get-ADUser -Filter 'Description -like "*<insert search term>*"' -Properties Description | Select name, Description
Get list of computers in the current domain
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*<insert OS>*"' -Properties OperatingSystem | select Name, OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
Get all the groups in the current domain
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
Get all groups containing the word "admin" in group name
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get all of the members of the Domain Admins group
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get the group membership for a user
Get-ADPrincipalGroupMembership -Identity <insert user>
Last updated