# Enumeration Commands ## ActiveDirectory Enumeration Notes Get information about an AD group ``` Get-ADGroup -Identity ",DC=,DC=" -Filter *).count ``` Count all users in Domain ``` (Get-ADUser -Filter *).count ``` Count all computers in Domain ``` (Get-ADComputer -Filter *).count ``` Count all groups in Domain ``` (Get-ADGroup -Filter *).count ``` Query for installed software ``` get-ciminstance win32_product | fl ``` Get hostnames with the word "SQL" in their hostname; Change SQL for whatever hostname you're looking for ``` Get-ADComputer -Filter "DNSHostName -like 'SQL*'" ``` Get all administrative groups ``` Get-ADGroup -Filter "adminCount -eq 1" | select Name ``` Find admin users that don't require Kerberos Pre-Auth ``` Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'} ``` Get SID for computer ``` Get-ADComputer -Filter {Name -like ""} | Select Name,SID | fl ``` Enumerate UAC values for admin users ``` Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol ``` Get AD groups using WMI ``` Get-WmiObject -Class win32_group -Filter "Domain='INLANEFREIGHT'" ``` Use ADSI to search for all computers ``` ([adsisearcher]"(&(objectClass=Computer))").FindAll() ``` Find all trusted users or computers marked trusted for delegation ``` Get-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select Name,memberof, servicePrincipalName,TrustedForDelegation | fl Get-ADComputer -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select DistinguishedName,servicePrincipalName,TrustedForDelegation | fl ``` Find users with blank passwords ``` Get-AdUser -LDAPFilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))(adminCount=1)' -Properties * | select name,memberof | fl ``` Recursive search of groups a user is apart of ``` Get-ADGroup -Filter 'member -RecursiveMatch "CN=,OU=,DC=,DC="' | select name Get-ADGroup -LDAPFilter '(member:1.2.840.113556.1.4.1941:=CN=,OU=,DC=,DC=)' |select Name ``` UserAccountControl Attributes ![UAC Attributes](/files/-MUpiMmShBFc5pt4-5WJ) ``` Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol | select Name,useraccountcontrol ``` Password Not Required ``` Get-ADUser -Filter {PasswordNotRequired -eq $true} ``` Nested Groups ``` Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aj-labz.gitbook.io/aj-labz/offensive-cyberz/ad-enumeration/enumeration-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.