# PowerView
## Enumerating AD Users
### Gather Domain Information
```powershell
Get-Domain
```
### Gather Domain SID
```powershell
Get-DomainSID
```
### Gather List DC's
```powershell
Get-DomainController
```
### Gather Domain Users
```powershell
Get-DomainUser
```
### Gather User Count
```powershell
(Get-DomainUserr).count
```
### Gather Most Important Users Information
```powershell
Get-DomainUser -Identity harry.jones -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol
```
### Gather List of Users do not require Kerberos pre-authentication
```powershell
Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof
```
### Gather Users With Kerberos Constrained Delegation
```powershell
Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof
```
###
### Gather Kerberos Unconstrained Delegation
```powershell
Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof
```
### Gather Domain (User) Descriptions
```powershell
Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}
```
### Gather Account(s) With SPN
```powershell
Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname
```
### Gather Password Set Times
```powershell
Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset
```
## Enumerating AD Groups
### Gather Groups
```powershell
Get-DomainGroup -Properties Name
```
### Gather More Information 1 Group
```powershell
Get-DomainGroupMember -Identity ''
```
### Gather Security Groups
```powershell
Find-ManagedSecurityGroups | select GroupName
```
### Gather Security Operations Group
```powwershell
Get-DomainManagedSecurityGroup
```
### Gather Local Groups
```powershell
$sid = Convert-NameToSid
$computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname
foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ? {$_.SID -eq $sid}}
```
## Enumerating AD Computers
### Gather Most Useful Information
```powershell
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol
```
## Enumerating Domain ACLs
ForceChangePassword abused with `Set-DomainUserPassword` Add Members abused with `Add-DomainGroupMember` GenericAll abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` GenericWrite abused with `Set-DomainObject` WriteOwner abused with `Set-DomainObjectOwner` WriteDACL abused with `Add-DomainObjectACL` AllExtendedRights abused with `Set-DomainUserPassword` or `Add-DomainGroupMember`
### Gather ACLs With Built-In
```powershell
(Get-ACL "AD:$((Get-ADUser joe.evans).distinguishedname)").access | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.Act
Rights -match "GenericAll"} | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W
```
### Gather ACL With PowerView
```powershell
Get-DomainObjectAcl -Identity harry.jones -Domain inlanefreight.local -ResolveGUIDs
```
### Gather ACL File Shares
```powershell
# list File Shares
Get-NetShare -ComputerName SQL01
# List Inside File Share
Get-PathAcl "\\SQL01\DB_backups"
```
### Gather DCsync ACL
```powershell
$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value
# List Users who can DCSync
Convert-SidToName $dcsync
```
## Enumerating Domain GPOs
### Gather GPO Data
```powershell
Get-DomainGPO | select displayname
```
### Gather GPO of Computer
```powershell
Get-DomainGPO -ComputerName WS01 | select displayname
```
### Gather GPO Permissions
```powershell
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513'}
```
## Enumerating Domain Trusts
### Gather Trusts That Exists
```powershell
Get-DomainTrust
```
### Gather Trusts Current Domain
```powershell
Get-DomainTrustMapping
```