# Users, Computer, Groups

### Users Enumeration

```markdown
## Users Enumeration
Get-NetUser
```

#### Get user in a Domain

```powershell
Get-NetUser *admin* -Domain grey.wargrey.mon
```

#### Get Admins in a Domain

```powershell
Get-NetUser -AdminCount 
Get-NetUser -AdminCount -Domain wargrey.mon
```

#### Filter by username

```powershell
Get-DomainUser -Domain wargrey.mon | ?{$_.name -match "Grey Mon"}
```

#### Grab the `cn` (common-name) from the list of users

```powershell
Get-NetUser | select cn
```

#### Get actively logged users on a computer (needs local admin rights on the target)

```powershell
Get-NetLoggedon -ComputerName <servername>
```

#### List all properties

```powershell
Get-UserProperty
```

#### Display when the passwords were set last time

```powershell
Get-UserProperty -Properties pwdlastset
```

#### Display when the accounts were created

```powershell
Get-UserProperty -Properties whencreated
```

#### Get the list of users

```powershell
Get-ADUser -Filter *
```

#### Get the list of users with properties

```powershell
Get-ADUser -Filter * -Properties *
```

#### List `samaccountname` and description for users

```powershell
Get-ADUser -Filter * -Properties * | select Samaccountname, Description
```

#### Get the list of users from `cn` common-name

```powershell
Get-ADUser -Filter * -Properties * | select cn
```

#### Get the list of users from name

```powershell
Get-ADUser -Filter * -Properties * | select name
```

#### Displays when the password was set

```powershell
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
```

#### List `samaccountname`, `lastlogon`, `pwdlastset`

```powershell
Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
```

#### Get list of usernames and their groups

```powershell
Get-NetUser | select samaccountname, memberof
```

#### Get description field from the user

```powershell
Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname, description
```

#### Get SID for users

```powershell
WMIC.exe useraccount get name, sid
```

#### Basic user enabled info

```powershell
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount
```

#### Find users with `sidHistory` set

```powershell
Get-NetUser -LDAPFilter '(sidHistory=*)'
```

### Find local admin access on domain machines

#### Find all machines on the current domain where the current user has local admin access

```powershell
Find-LocalAdminAccess -Verbose
```

#### This can also be done with remote administration tools like WMI and PowerShell remoting.

* Useful when ports (RPC and SMB) used by `Find-LocalAdminAccess` are blocked.

```powershell
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1
```

### Kerberoasting Enumeration

#### ASREPRoastable users

```powershell
Get-NetUser -PreauthNotRequired
```

#### Kerberoastable users

```powershell
Get-NetUser -SPN
Get-NetComputer -SPN
```

#### Kerberospolicy

```powershell
(Get-DomainPolicyData).kerberospolicy
```

### Groups Information

#### List groups and their details

```powershell
Get-NetGroup | select samaccountname, admincount, description
```

#### Get AdminSDHolders

```powershell
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=wargrey,DC=mon' | %{ $_.SecurityIdentifier } | Convert-SidToName
```

### Computer Enumeration

#### Basic computer enumeration

```powershell
Get-NetComputer
Get-ADComputer -Filter *
```

#### Get Computer name and OS

```powershell
Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Domain wargrey.mon | select samaccountname, operatingsystem
```

#### Get computers with specific OS

```powershell
Get-NetComputer -OperatingSystem "*Server 2016*"
```

#### DCs appear but aren't useful for privilege escalation

```powershell
Get-NetComputer -Unconstrained | select samaccountname
```

#### Find computers with Constrained Delegation

```powershell
Get-NetComputer -TrustedToAuth | select samaccountname
```

#### Find machine accounts in privileged groups

```powershell
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*'}
Get-NetGroupMember -Identity "Domain Admins" -Recurse | select MemberName
```

#### List all the local groups on a machine (needs admin privileges on non-DC machines)

```powershell
Get-NetlocalGroup -Computername <computername> -ListGroups
```

#### Get members of all the local groups on a machine (needs admin privileges on non-DC machines)

```powershell
Get-NetlocalGroup -Computername <computername> -Recurse
```

#### Get actively logged users on a computer (needs local admin privileges)

```powershell
Get-NetLoggedon -Computername <computername>
```

#### Get locally logged users on a computer (needs remote registry rights on the target)

```powershell
Get-LoggedonLocal -Computername <computername>
```

#### Get the last logged users on a computer (needs admin rights and remote registry on the target)

```powershell
Get-LastLoggedOn -ComputerName <computername>
```

#### Get computer operating system and other important info

```powershell
Get-ADComputer -Filter * -Property PrimaryGroupID
Get-ADComputer -Filter {PrimaryGroupID -eq "<number>"} -Properties OperatingSystem, OperatingSystemVersion, OperatingSystemServicePack, PasswordLastSet, LastLogonDate, ServicePrincipalName, TrustedForDelegation, TrustedtoAuthForDelegation
```

#### Find computers where a domain admin (or specified user/group) has sessions

```powershell
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity “RDPUsers”
```

#### Find computers where a domain admin session is available and current user has admin access

* Uses `Test-AdminAccess`.

```powershell
#Find-DomainUserLocation -CheckAccess
```

#### Find computers (File Servers and Distributed File servers) where a domain admin session is available

```powershell
#Find-DomainUserLocation -Stealth
```

### Shares Enumeration

#### Search readable shares

```powershell
Find-DomainShare -CheckShareAccess
```

### Groups and Members Enumeration

#### Basic group enumeration

```powershell
Get-NetGroup
Get-NetLocalGroup
```

#### Get all groups containing "admin" in the group name

```powershell
Get-NetGroup *Admin*
Get-NetGroupMember 'Domain Admins' -Recurse
Get-NetGroupMember 'Administrator' -Recurse
Get-NetGroupMember 'Remote Desktop Users' -Recurse
Get-NetGroupMember 'Remote Desktop' -Recurse
```

#### Get all members of the "Domain Admins" group

```powershell
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
```

#### Query the root domain for "Enterprise Admins"

```powershell
Get-NetGroupMember -GroupName "Enterprise Admins" –Domain wargrey.mon
```

#### Get group membership for user "grey"

```powershell
Get-NetGroup -UserName "grey"
```

#### List all group members in the "Users" group with full data

```powershell
Get-NetGroup -GroupName "Users" -Fulldata
```

#### Get all groups that contain "admin" in the group name

```powershell
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
```

#### Get all members of the "Domain Admins" group

```powershell
Get-ADGroupMember -Identity "Domain Admins" -Recursive
```

#### Get group membership for "grey"

```powershell
Get-ADPrincipalGroupMembership -Identity grey
```

#### Get computers and their Operating Systems

```powershell
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name, OperatingSystem
```

#### Test connectivity for each computer in the domain

```powershell
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
```

### Enumerate Domain Groups

```powershell
#Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup –Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
#Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

#Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

#Get the group membership for a user:
Get-DomainGroup –UserName "grey"
Get-ADPrincipalGroupMembership -Identity grey

#Get Group admins
Get-NetGroup "*admins*" | Get-NetGroupMember -Recurse | ?{$_.MemberName -Like "*.*"}

#Get Clients on Host Domain
Get-NetGroup -ComputerName PDC
Get-NetGroup -ComputerName dc02
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-enumeration/users-computer-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.