Information Gathering – Active Directory

PS C:\Windows\system32> Get-WmiObject -Namespace root\directory\ldap –List

PS C:\Windows\system32> Get-CimClass -Namespace root\directory\ldap

Get the current domain:

It will give name of current domain:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select -ExpandProperty ds_dc

PS C:\Windows\system32> (Get-WmiObject -Class win32_computersystem).domain

Get the current domain policy:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select DS_lockoutduration, DS_Lockoutobservationwindow, DS_locakoutThreshold, DS_maxpwdage, DS_minpwdage, DS_minpwdlength, DS_pwdhistorylength, DS_pwdproperties

PS C:\> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain

Get the domain controller:

PS C:\> Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Where-Object {$_.ds_useraccountcontrol -eq 532480} | select ds_cn

To filter null properties (taken from HasWMIValue from the scripting guy repository:

PS C:\> (Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Where-Object {$_.ds_useraccountcontrol -eq 532480}).properties | ForEach-Object {if($_.value -AND $_.name –notmatch “  “){@{ $($_.name) = $($_.value)}}}

PS C:\> Get-WmiObject -Namespace root\directory\ldap -class ds_computer

Get all domain users:

PS C:\> Get-WmiObject -Class win32_useraccount

Get names of all domain users (or any other property):

PS C:\> Get-WmiObject -class win32_useraccount | select name

Get all domain users of another with trust relationship:

PS C:\> Get-WmiObject -class win32_useraccount -filter “Domain = ‘SECURITY'”

Get all domain groups:

PS C:\> Get-WmiObject -class win32_group

PS C:\> Get-WmiObject -class win32_groupindomain | foreach-object {[wmi]$_.partcomponent}

Get all domain groups of another domain with trust relationship:

PS C:\> Get-WmiObject -class win32_groupindomain | Where-Object {$_.groupcomponent -match “SECURITY”} | ForEach-Object {[wmi]$_.partcomponent}

PS C:\> Get-WmiObject -class win32_group | fl *

PS C:\> Get-WmiObject -class win32_groupindomain | fl *

A lot in output.

Get group membership of the domains admins group for the current & all trusted domains:

PS C:\> Get-WmiObject -class win32_groupuser | where-object {$_.groupcomponent -match “domain admins”} | foreach-object {[wmi]$_.partcomponent}

Get group membership of he domain admins group of the “SECURITY” domain:

PS C:\> Get-WmiObject -class win32_groupuser | where-object {$_.groupcomponent -match “SECURITY” -and $_.groupcomponent -match “SECURITY” -and $_.groupcomponent -match “SECURITY” -and $_.groupcomponent -match “Domain Admins”} | ForEach-Object {[wmi]$_.partcomponent}

Get group membership of a particular user (whose name contains the word “lab”):

PS C:\> Get-WmiObject win32_groupuser | Where-Object {$_.partcomponent -match “administrator”} | ForEach-Object {[wmi]$_.groupcomponent}

Get all domain computers:

PS C:\> Get-WmiObject -Namespace root\directory\ldap -class ds_computer

A lot more in output.

Get all domain computers name:

PS C:\> Get-WmiObject -namespace root\directory\ldap -class ds_computer | select -ExpandProperty ds_cn

Get all non-empty properties of a computer:

PS C:\> (Get-WmiObject -Namespace root\directory\ldap -class ds_computer | where-object {$_.ds_cn -eq “WIN-2RUMVG5JPOC”}).properties | foreach-object {if($_.value -AND $_.name -notmatch ” “){@{$($_.name)=$($_.value)}}}

Get a list of domain computers:

PS C:\> $computer = get-wmiobject -namespace root\directory\ldap -class ds_computer | select -ExpandProperty ds_cn PS C:\> $computer

Run a simple WMI query against all the computers. Any computer name shown here will mean local admin access:

PS C:\> foreach ($computer in $computer) { (Get-WmiObject win32_computersystem -computername $computer).name}

@Saksham Dixit