> For the complete documentation index, see [llms.txt](https://h3ckt0r.gitbook.io/0xsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-enumeration/users-computer-groups.md).

# Users, Computer, Groups

### Users Enumeration

```markdown
## Users Enumeration
Get-NetUser
```

#### Get user in a Domain

```powershell
Get-NetUser *admin* -Domain grey.wargrey.mon
```

#### Get Admins in a Domain

```powershell
Get-NetUser -AdminCount 
Get-NetUser -AdminCount -Domain wargrey.mon
```

#### Filter by username

```powershell
Get-DomainUser -Domain wargrey.mon | ?{$_.name -match "Grey Mon"}
```

#### Grab the `cn` (common-name) from the list of users

```powershell
Get-NetUser | select cn
```

#### Get actively logged users on a computer (needs local admin rights on the target)

```powershell
Get-NetLoggedon -ComputerName <servername>
```

#### List all properties

```powershell
Get-UserProperty
```

#### Display when the passwords were set last time

```powershell
Get-UserProperty -Properties pwdlastset
```

#### Display when the accounts were created

```powershell
Get-UserProperty -Properties whencreated
```

#### Get the list of users

```powershell
Get-ADUser -Filter *
```

#### Get the list of users with properties

```powershell
Get-ADUser -Filter * -Properties *
```

#### List `samaccountname` and description for users

```powershell
Get-ADUser -Filter * -Properties * | select Samaccountname, Description
```

#### Get the list of users from `cn` common-name

```powershell
Get-ADUser -Filter * -Properties * | select cn
```

#### Get the list of users from name

```powershell
Get-ADUser -Filter * -Properties * | select name
```

#### Displays when the password was set

```powershell
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
```

#### List `samaccountname`, `lastlogon`, `pwdlastset`

```powershell
Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
```

#### Get list of usernames and their groups

```powershell
Get-NetUser | select samaccountname, memberof
```

#### Get description field from the user

```powershell
Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname, description
```

#### Get SID for users

```powershell
WMIC.exe useraccount get name, sid
```

#### Basic user enabled info

```powershell
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount
```

#### Find users with `sidHistory` set

```powershell
Get-NetUser -LDAPFilter '(sidHistory=*)'
```

### Find local admin access on domain machines

#### Find all machines on the current domain where the current user has local admin access

```powershell
Find-LocalAdminAccess -Verbose
```

#### This can also be done with remote administration tools like WMI and PowerShell remoting.

* Useful when ports (RPC and SMB) used by `Find-LocalAdminAccess` are blocked.

```powershell
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1
```

### Kerberoasting Enumeration

#### ASREPRoastable users

```powershell
Get-NetUser -PreauthNotRequired
```

#### Kerberoastable users

```powershell
Get-NetUser -SPN
Get-NetComputer -SPN
```

#### Kerberospolicy

```powershell
(Get-DomainPolicyData).kerberospolicy
```

### Groups Information

#### List groups and their details

```powershell
Get-NetGroup | select samaccountname, admincount, description
```

#### Get AdminSDHolders

```powershell
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=wargrey,DC=mon' | %{ $_.SecurityIdentifier } | Convert-SidToName
```

### Computer Enumeration

#### Basic computer enumeration

```powershell
Get-NetComputer
Get-ADComputer -Filter *
```

#### Get Computer name and OS

```powershell
Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Domain wargrey.mon | select samaccountname, operatingsystem
```

#### Get computers with specific OS

```powershell
Get-NetComputer -OperatingSystem "*Server 2016*"
```

#### DCs appear but aren't useful for privilege escalation

```powershell
Get-NetComputer -Unconstrained | select samaccountname
```

#### Find computers with Constrained Delegation

```powershell
Get-NetComputer -TrustedToAuth | select samaccountname
```

#### Find machine accounts in privileged groups

```powershell
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*'}
Get-NetGroupMember -Identity "Domain Admins" -Recurse | select MemberName
```

#### List all the local groups on a machine (needs admin privileges on non-DC machines)

```powershell
Get-NetlocalGroup -Computername <computername> -ListGroups
```

#### Get members of all the local groups on a machine (needs admin privileges on non-DC machines)

```powershell
Get-NetlocalGroup -Computername <computername> -Recurse
```

#### Get actively logged users on a computer (needs local admin privileges)

```powershell
Get-NetLoggedon -Computername <computername>
```

#### Get locally logged users on a computer (needs remote registry rights on the target)

```powershell
Get-LoggedonLocal -Computername <computername>
```

#### Get the last logged users on a computer (needs admin rights and remote registry on the target)

```powershell
Get-LastLoggedOn -ComputerName <computername>
```

#### Get computer operating system and other important info

```powershell
Get-ADComputer -Filter * -Property PrimaryGroupID
Get-ADComputer -Filter {PrimaryGroupID -eq "<number>"} -Properties OperatingSystem, OperatingSystemVersion, OperatingSystemServicePack, PasswordLastSet, LastLogonDate, ServicePrincipalName, TrustedForDelegation, TrustedtoAuthForDelegation
```

#### Find computers where a domain admin (or specified user/group) has sessions

```powershell
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity “RDPUsers”
```

#### Find computers where a domain admin session is available and current user has admin access

* Uses `Test-AdminAccess`.

```powershell
#Find-DomainUserLocation -CheckAccess
```

#### Find computers (File Servers and Distributed File servers) where a domain admin session is available

```powershell
#Find-DomainUserLocation -Stealth
```

### Shares Enumeration

#### Search readable shares

```powershell
Find-DomainShare -CheckShareAccess
```

### Groups and Members Enumeration

#### Basic group enumeration

```powershell
Get-NetGroup
Get-NetLocalGroup
```

#### Get all groups containing "admin" in the group name

```powershell
Get-NetGroup *Admin*
Get-NetGroupMember 'Domain Admins' -Recurse
Get-NetGroupMember 'Administrator' -Recurse
Get-NetGroupMember 'Remote Desktop Users' -Recurse
Get-NetGroupMember 'Remote Desktop' -Recurse
```

#### Get all members of the "Domain Admins" group

```powershell
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
```

#### Query the root domain for "Enterprise Admins"

```powershell
Get-NetGroupMember -GroupName "Enterprise Admins" –Domain wargrey.mon
```

#### Get group membership for user "grey"

```powershell
Get-NetGroup -UserName "grey"
```

#### List all group members in the "Users" group with full data

```powershell
Get-NetGroup -GroupName "Users" -Fulldata
```

#### Get all groups that contain "admin" in the group name

```powershell
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
```

#### Get all members of the "Domain Admins" group

```powershell
Get-ADGroupMember -Identity "Domain Admins" -Recursive
```

#### Get group membership for "grey"

```powershell
Get-ADPrincipalGroupMembership -Identity grey
```

#### Get computers and their Operating Systems

```powershell
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name, OperatingSystem
```

#### Test connectivity for each computer in the domain

```powershell
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
```

### Enumerate Domain Groups

```powershell
#Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup –Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
#Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

#Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

#Get the group membership for a user:
Get-DomainGroup –UserName "grey"
Get-ADPrincipalGroupMembership -Identity grey

#Get Group admins
Get-NetGroup "*admins*" | Get-NetGroupMember -Recurse | ?{$_.MemberName -Like "*.*"}

#Get Clients on Host Domain
Get-NetGroup -ComputerName PDC
Get-NetGroup -ComputerName dc02
```
