Skip to content

The ActiveDirectory PowerShell module

The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.

Installation

Download from The ActiveDirectory PowerShell module github repository 

1
Import-Module activedirectory

This module is Microsoft signed and works even in PowerShell Constrained Language Mode (CLM). 

1
2
3
Import-Module .\ADModule-master\Microsoft.ActiveDirectory.Management.dll 

Import-Module .\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 

Also, you can copy the DLL from the github repo to your machine and use it to enumerate Active Directory without installing RSAT and without having administrative privileges.

1
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose

Basic commands

1
2
3
4
5
6
7
8
# Get ACL for a folder (or a file)
Get-ACL C:\Users\Public\Desktop

# Search for AD elements. [See more in ldap queries](ldap.md)
Get-ADObject -LDAPFilter <thespecificfilter>

# Count occurrences in a query, like the one above.
(Get-ADObject -LDAPFilter <thespecificfilter>).count

Get-ADDomain

We'll enumerate some basic information about the domain with the Get-ADDomain cmdlet.

1
2
# This will print out helpful information like the domain SID, domain functional level, any child domains, and more.
Get-ADDomain

Get-ADUser

More on https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2022-ps. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# This command gets all users in the container OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM.
Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"

# This command gets all users that have a name that ends with SvcAccount:
Get-ADUser -Filter 'Name -like "*SvcAccount"' | Format-Table Name,SamAccountName -A

# This command gets all of the properties of the user with the SAM account name ChewDavid:
Get-ADUser -Identity ChewDavid -Properties *

# This command gets the user with the name ChewDavid in the Active Directory Lightweight Directory Services (AD LDS) instance:
Get-ADUser -Filter "Name -eq 'ChewDavid'" -SearchBase "DC=AppNC" -Properties "mail" -Server lds.Fabrikam.com:50000

# This command gets all enabled user accounts in Active Directory using an LDAP filter: meaning to return all disabled accounts
Get-ADUser -LDAPFilter '(!userAccountControl:1.2.840.113556.1.4.803:=2)'

# search for all administrative users with the `DoesNotRequirePreAuth` attribute set, meaning that they can be ASREPRoasted:
Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}

# Find all administrative users with the SPN "servicePrincipalName" attribute set, meaning that they can likely be subject to a Kerberoasting attack
Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl

# Another way to retrieve Service Principals
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Get-ADComputer

1
2
# Search domain computers for interesting hostnames. SQL servers are a particularly juicy target on internal assessments. The below command searches all hosts in the domain using `Get-ADComputer`, filtering on the `DNSHostName` property that contains the word `SQL`
Get-ADComputer  -Filter "DNSHostName -like 'SQL*'"

Get-ADGroup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Group enumeration
Get-ADGroup -Filter * | select name

# Get detailed information about a group
Get-ADGroup -Identity "Backup Operators"

# Search for administrative groups by filtering on the `adminCount` attribute. If set to `1`, it's protected by AdminSDHolder and known as protected groups. `AdminSDHolder` is owned by the Domain Admins group. It has the privileges to change the permissions of objects in Active Directory. 
Get-ADGroup -Filter "adminCount -eq 1" | select Name

# Viewing the Protected Users Group with Get-ADGroup
Get-ADGroup -Identity "Protected Users" -Properties Name,Description,Members

Get-ADGroupMember

1
2
# Returns members of a group
Get-ADGroupMember -Identity "Backup Operators"

Get-ADTrust

Verify domain trust relationships using the Get-ADTrust cmdlet. This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with. This will be useful on when looking to take advantage of child-to-parent trust relationships and attacking across forest trusts. 

1
Get-ADTrust -Filter *
Last update: 2025-01-02
Created: May 9, 2023 17:16:52