Active Directory Module

From the official Microsoft docs:

The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
If you don't have the Active Directory module installed on your machine, you need to download the correct Remote Server Administration Tools (RSAT) package for your OS. Refer to the link below for more information.

ActiveDirectory ModuleMicrosoftLearn

The commands utilized are referred to as cmdlets .

Additional resource

Active Directory Module | Windowsjarrettgxz-sec.gitbook.io

AD enumeration

Important option used in the subsequent commands

Note that some of the commands (eg. Get-ADDomain , etc.) may not support all the options listed below. Refer to the respective documentation in the official link above for more information, and this list is provided just for a quick reference

a. -Identity

Specifies an Active Directory user object.

b. -Server

Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server.

c. -Properties

Specifies the properties of the output object to retrieve from the server.

1. Users

PS> GET-ADUser -Identity <username> -Server <server> -Properties <properties>

-Properties *: to display all the attributes set on the object

2. Groups

PS> GET-ADGroup -Identity <groupname> -Server <server> -Properties *

-Properties *: to display all the attributes set on the object

Enumerate group membership

PS> GET-ADGroupMember -Identity <groupname> -Server <server>

3. AD Objects

For a more generic search on any AD objects, we can utilize the Get-ADObject cmdlet.

Examples using Get-ADObject

Useful reference:

ObjectClass | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

Filter by ObjectClass , Name , etc.

ObjectClass

PS> Get-ADObject -Filter 'ObjectClass -eq "container"'
DistinguishedName                                   Name           
-----------------                                   ----
CN=Users,DC=test,DC=com                             Users
CN=Computers,DC=test,DC=com                         Computers       
CN=System,DC=test,DC=com                            System
CN=WinsockServices,CN=System,DC=za,DC=test,DC=com   WinsockServices
CN=Program Data,DC=za,DC=tryhackme,DC=com           Program Data 
...
redacted 
...

PS> Get-ADObject -Filter 'ObjectClass -eq "user"'
PS> Get-ADObject -Filter 'ObjectClass -eq "organizationalUnit"'
# and many more!

Name

PS> Get-ADObject -Filter 'Name -eq "Computers"'
DistinguishedName                            Name       ObjectClass         ObjectGUID
-----------------                            ----       -----------         ----------
CN=Computers,DC=test,DC=com                  Computers  container           xxxx
OU=Computers,DC=test,DC=com                  Computers  organizationalUnit  xxxx
...

PS> Get-ADObject -Filter 'Name -eq "Users"'                                                       

DistinguishedName                             Name      ObjectClass            ObjectGUID
-----------------                             ----      -----------            ----------
CN=Users,DC=test,DC=com                       Users     container              xxxx
CN=Users,CN=Builtin,DC=test,DC=com            Users     group                  xxxx
OU=Users,OU=Accounts,DC=test,DC=com           Users     organizationalUnit     xxxx
...

PS> Get-ADObject -Filter 'Name -eq "WinSockServices"'         
                                                                                                              
DistinguishedName                              Name             ObjectClass   ObjectGUID
-----------------                              ----             -----------   ----------
CN=WinsockServices,CN=System,DC=test,DC=com    WinsockServices  container     xxxx
...

We can even add the -Properties * option to view the full list of properties each object has.

Note that the example outputs shown above simply illustrates a hypothetical example that have been slightly modified based on my experiment on a test AD network.

4. Domains

We can use the Get-ADDomain cmdlet to retrieve more information about a specific domain:

PS> GET-ADDomain -Server <server>

5. Organizational Units (OUs)

Gets one or more Active Directory organizational units.

Eg. Retrieve all OUs:

PS> Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A

Examples

Find the value of a property for a user/group

Suppose we want to find the creation date for the group Test Group (Created attribute):

# eg. We can first list out all the properties
PS> GET-ADGroup -Identity "Test Group" -Server xxxx -Properties *

CanonicalName    : ...
CN               : Test Group
Created          : dd/mm/yyy xx.xx.xx.xx
...

To display only the specified property, along with other default properties (automatically included by the command):

PS> Get-ADGroup -Identity "Test-Group" -Server xxxx -Properties Created

To retrieve the Created attribute only:

PS> GET-ADGroup -Identity "Test Group" -Server xxxx -Properties Created | Select-Object -ExpandProperty Created

Additional options

Select-Object (alias: select)

Eg. with Get-ADUser command:

PS> Get-ADUser -Filter * -Properties * | Select-Object Property1,Property2,...

# eg.
PS> Get-ADUser -Filter * -Properties * | Select-Object Name,SamAccountName,Description
description                                              name          samaccountname
-----------                                              ----          --------------
Built-in account for administering the computer/domain   Administrator Administrator
Built-in account for guest access to the computer/domain Guest         Guest
Key Distribution Center Service Account                  krbtgt        krbtgt
                                                         
                                                         test          test-user
                                                         sshd          sshd
...

PreviousPowershell NextPowerview

Last updated 3 months ago