Domains
Get Current Domain
# AD Module
Get-ADDomain
# PowerView
Get-NetDomain
Get Object of Another Domain
# AD Module
Get-ADDomain -Identity lab.local
# PowerView
Get-NetDomain -Domain lab.local
Get Domain SID for Current Domain
# AD Module
(Get-ADDomain).DomainSID
# PowerView
Get-DomainSID
Get Domain Policy for Current Domain
# PowerView
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
Get Password Policy for Another Domain
# PowerView
(Get-DomainPolicy -Domain lab.local)."System Access"
Get Kerberos Policy for e.g. Mimikatz Golden Tickets
# PowerView
(Get-DomainPolicy -Domain lab.local)."Kerberos Policy"
Get Domain Controllers for Current Domain
# AD Module
Get-ADDomainController
# PowerView
Get-NetDomainController
Get Domain Controllers for Another Domain
# AD Module
Get-ADDomainController -DomainName lab.local -Discover
# PowerView
Get-NetDomainController -Domain lab.local
Enumerate All Gobal Catalogs in the Forest
# PowerView
Get-ForestGlobalCatalog
Turn a List of Computer Short Names to FQDNs, Using a Global Catalog
# PowerView
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
Enumerate the Current Domain Controller Policy
# PowerView
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...
Enumerate the Current Domain Policy
# PowerView
$DomainPolicy = Get-DomainPolicy -Domain bufu-sec.local
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.
Last updated