Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Introduction

PowerShell, released by Microsoft in 2006, is a powerful upgrade to Command Prompt. It includes access to cmdlets (pronounced command-lets), which are .NET classes designed to perform specific functions.
This cheat sheet focuses on using PowerShell for Active Directory (AD) enumeration, leveraging cmdlets included with the AD-RSAT (Active Directory Remote Server Administration Tools) package.

Enumerating AD Users

1. Retrieve AD user details with all properties
   

   Get-ADUser -Identity gordon.stevens -Server za.example.com -Properties *
   

2. Use filters to narrow down user search
   

   Get-ADUser -Filter 'Name -like "*Roland"' -Server za.example.com | Format-Table Name,SamAccountName -A
   

3. List all users in the domain
   

   Get-ADUser -Filter * -Server za.example.com | Format-Table Name,SamAccountName -AutoSize
   

Enumerating AD Groups

1. Retrieve AD group details
   

   Get-ADGroup -Identity Administrators -Server za.example.com
   

2. Enumerate group membership
   

   Get-ADGroupMember -Identity Administrators -Server za.example.com
   

3. List all groups in the domain
   

   Get-ADGroup -Filter * -Server za.example.com | Format-Table Name,GroupScope -AutoSize
   

Enumerating AD Computers

1. Retrieve AD computer details with all properties
   

   Get-ADComputer -Identity "DC01" -Server za.example.com -Properties *
   

2. Use filters to narrow down computers by OS
   

   Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' -Server za.example.com | Format-Table Name,OperatingSystem -A
   

3. List all computers in the domain
   

   Get-ADComputer -Filter * -Server za.example.com | Format-Table Name,OperatingSystem -AutoSize
   

Enumerating AD Objects

1. Search for objects changed after a specific date
   

   $ChangeDate = New-Object DateTime(2024, 05, 25, 12, 00, 00)
   Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -IncludeDeletedObjects -Server za.example.com
   

2. List all AD objects
   

   Get-ADObject -Filter * -Server za.example.com | Format-Table Name,ObjectClass -AutoSize
   

Enumerating Domains

1. Retrieve detailed domain information
   

   Get-ADDomain -Server za.example.com
   

2. Enumerate organizational units (OUs)
   

   Get-ADOrganizationalUnit -Filter * -Server za.example.com | Format-Table Name,DistinguishedName -A