# Domains ## Get Current Domain ```powershell # AD Module Get-ADDomain # PowerView Get-NetDomain ``` ## Get Object of Another Domain ```powershell # AD Module Get-ADDomain -Identity lab.local # PowerView Get-NetDomain -Domain lab.local ``` ## Get Domain SID for Current Domain ```powershell # AD Module (Get-ADDomain).DomainSID # PowerView Get-DomainSID ``` ## Get Domain Policy for Current Domain ```powershell # PowerView Get-DomainPolicy (Get-DomainPolicy)."System Access" ``` ## Get Password Policy for Another Domain ```powershell # PowerView (Get-DomainPolicy -Domain lab.local)."System Access" ``` ## Get Kerberos Policy for e.g. Mimikatz Golden Tickets ```powershell # PowerView (Get-DomainPolicy -Domain lab.local)."Kerberos Policy" ``` ## Get Domain Controllers for Current Domain ```powershell # AD Module Get-ADDomainController # PowerView Get-NetDomainController ``` ## Get Domain Controllers for Another Domain ```powershell # AD Module Get-ADDomainController -DomainName lab.local -Discover # PowerView Get-NetDomainController -Domain lab.local ``` ## Enumerate All Gobal Catalogs in the Forest ```powershell # PowerView Get-ForestGlobalCatalog ``` ## Turn a List of Computer Short Names to FQDNs, Using a Global Catalog ```powershell # PowerView gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname} ``` ## Enumerate the Current Domain Controller Policy ```powershell # PowerView $DCPolicy = Get-DomainPolicy -Policy DC $DCPolicy.PrivilegeRights # user privilege rights on the dc... ``` ## Enumerate the Current Domain Policy ```powershell # PowerView $DomainPolicy = Get-DomainPolicy -Domain bufu-sec.local $DomainPolicy.KerberosPolicy # useful for golden tickets ;) $DomainPolicy.SystemAccess # password age/etc. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.bufu-sec.com/active-directory/enumeration/domains.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.