(Get-WmiObject Win32_ComputerSystem).Domain
# DNS, NetBIOSName, DomainSID
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID
Get-ADUser -Filter * | select SamAccountName
Get-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | select SamAccountName
Get-ADUser -LDAPFilter "(SamAccountName=*$)" | select SamAccountName
Get-ADGroup -Filter * | select SamAccountName
Get-ADGroup "Domain Admins" -Properties members,memberof
nltest /dclist:<domain.name>
# Get all users in the current domain
Get-NetUser | select -ExpandProperty cn
# Get all computers in the current domain
# Get all domains in current forest
# Get domain/forest trusts
# Get information for the DA group
Get-NetGroup -GroupName "Domain Admins"
# Find members of the DA group
Get-NetGroupMember -GroupName "Domain Admins" | select -ExpandProperty membername
# Find interesting shares in the domain, ignore default shares
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
# Get OUs for current domain
# %{} is a looping statement
Get-NetOU -OUName StudentMachines | %{Get-NetComputer -ADSPath $_}
# Get GPOs applied to a specific OU
Get-NetOU *student* | select gplink
Get-NetGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"
# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
# Get incoming ACL for a specific object
Get-ObjectACL -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights
# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
# Get interesting outgoing ACLs for a specific user or group
# ?{} is a filter statement
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Get computers running LAPS, along with their passwords if we're allowed to read those
# Get groups allowed to read LAPS passwords