AD Enumeration

Users and Groups

Look for users who belong to an admin group (e.g. Domain Admins). Traditional approach is to use net user /domain to list all users and then look for the one which is in the admin group.

net user # local accounts
net user /domain # all accounts in the entire domain
net user <user_name> /domain # details about the domain user

net group /domain # enumerates all groups in the domain

Script to enumerate AD


Logged on users on target workstation

# NetWkstaUserEnum - requires admin rights
# PowerView.ps1 - Get-NetLoggedon function
Import-Module .\PowerView.ps1
Get-NetLoggedon -ComputerName <computer_name> # e.g. client251

Active user sessions on servers (file servers or domain controllers)

# NetSessionEnum - does not require admin rights
# PowerView.ps1 - Get-NetSession function
Import-Module .\PowerView.ps1
Get-NetSessions -ComputerName <computer_name> # e.g. dc01 - domain controller

Names and explanations

PdcRoleOwner # Primary Domain Controller Name

Domain's account policy

net accounts


Script to enumerate AD


# useful filters:
# serviceprincipalname=*http*

This will let you enumerate the AD services (e.g. sql or http services). Once you run adwalk with suggested filter, use the Service Principal Name (SPN) value and to check it's up with nslookup.