Announcement

Collapse
No announcement yet.

Windows - Useful Commands for Active Directory

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Windows - Useful Commands for Active Directory

    I have collected a few useful commands for retrieving information out of Acrive Directory. The commands can do a whole lot more than what this post shows but it will serve as a reminder of some of the more useful commands. These are all done directly on the AD server.

    The following commands are in PowerShell and can easily be scripted around.

    The first thing to do before using these commands is to import the AD module.
    PS C:\> Import-Module ActiveDirectory
    PS C:\>
    When the import is done all the AD related commands will be available to you. Here is how to could collect account information for a specific user.
    PS C:\> Get-ADUser -Identity amro


    DistinguishedName : CN=Amanda Robinson,CN=Users,DC=MAIN,DC=local
    Enabled : True
    GivenName : Amanda
    Name : Amanda Robinson
    ObjectClass : user
    ObjectGUID : d3bcb107-fe14-4bbe-83fe-56124d858764
    SamAccountName : amro
    SID : S-1-5-21-1497700792-3046065286-177571247-1118
    Surname : Robinson
    UserPrincipalName : [email protected]



    PS C:\>
    Here is how to retrieve a list of all users.
    PS C:\> Get-ADUser -Filter *


    DistinguishedName : CN=Administrator,CN=Users,DC=MAIN,DC=local
    Enabled : False
    GivenName :
    Name : Administrator
    ObjectClass : user
    ObjectGUID : f7286193-5ff7-4cd2-888e-ce33e5c5802a
    SamAccountName : Administrator
    SID : S-1-5-21-1497700792-3046065286-177571247-500
    Surname :
    UserPrincipalName :

    DistinguishedName : CN=Guest,CN=Users,DC=MAIN,DC=local
    GivenName :
    Name : Guest
    ObjectClass : user
    ObjectGUID : e18e314b-6678-4c30-a071-1eb4c40c1cf2
    SamAccountName : Guest
    SID : S-1-5-21-1497700792-3046065286-177571247-501
    Surname :
    UserPrincipalName :

    DistinguishedName : CN=DefaultAccount,CN=Users,DC=MAIN,DC=local
    GivenName :
    Name : DefaultAccount
    ObjectClass : user
    ObjectGUID : 73525f69-a52a-42c6-a535-8d67d4cde5ca
    SamAccountName : DefaultAccount
    SID : S-1-5-21-1497700792-3046065286-177571247-503
    Surname :
    UserPrincipalName :
    ...
    This is another build-in command, "dsquery", that is very useful. The server I am testing on is a clean install so there is not much output. Here the "dsquery" command is used to query OUs.
    C:\>dsquery ou DC=MAIN,DC=local
    "OU=Domain Controllers,DC=MAIN,DC=local"

    C:\>
    The "netdom" command is very simmilar to the "net" command that you may already know. Here it will return all the workstations with accounts in the domain.
    C:\>netdom query workstation
    List of workstations with accounts in the domain:

    MediaAdmin ( Workstation or Server )

    DESKTOP-T58EFMD ( Workstation or Server )

    WIN-ISPCUGTKIG6 ( Workstation or Server )

    The command completed successfully.


    C:\>
    The output is somewhat weird as it does not distinquish well between actual servers and workstations. Here the same command is used to do a query on servers.

    C:\>netdom query server
    List of servers with accounts in the domain:

    MediaAdmin ( Workstation or Server )

    DESKTOP-T58EFMD ( Workstation or Server )

    WIN-ISPCUGTKIG6 ( Workstation or Server )

    The command completed successfully.


    C:\>
    Here the command returns all domain controllers with accounts in the domain.
    C:\>netdom query dc
    List of domain controllers with accounts in the domain:

    MAINADSERVER
    The command completed successfully.


    C:\>
    It can also return the primary domain controller, if you can actually call any domain controller the primary one.
    C:\>netdom query PDC
    Primary domain controller for the domain:

    MAINADSERVER
    The command completed successfully.


    C:\>
    It can also show some trust information though it does not show everything. This AD server actually have trust in both directions with another domain.
    C:\>netdom query trust
    Direction Trusted\Trusting domain Trust type
    ========= ======================= ==========

    The command completed successfully.


    C:\>
    Here a query return which of the 5 FSMO roles the server is responsible for.
    C:\>netdom query fsmo
    Schema master MainADServer.MAIN.local
    Domain naming master MainADServer.MAIN.local
    PDC MainADServer.MAIN.local
    RID pool manager MainADServer.MAIN.local
    Infrastructure master MainADServer.MAIN.local
    The command completed successfully.


    C:\>
    The "dsquery" command is another way of quering Active Directory. Here we are quering the domain controller for the main.local domain.
    C:\>dsquery computer "OU=Domain Controllers,DC=MAIN,DC=local" -o rdn -limit 0
    "MAINADSERVER"

    C:\>
    The "dsquery" command can also do a lot of things. Here we are quering users that have been inactive for longer than 3 weeks.
    C:\>dsquery user domainroot -inactive 3
    "CN=Jennifer Lawrence,CN=Users,DC=MAIN,DC=local"
    "CN=John Robinson,CN=Users,DC=MAIN,DC=local"

    C:\>
    Another interesting command is the "ldifde" command. Here we do a query on the users of the main.local domain.
    C:\>ldifde -m -f c:\users\lanadmin\documents\OUTPUT.LDF -s mainadserver -d "CN=users,DC=MAIN,DC=local" -l whencreated,whenchanged -p onelevel -r "(ObjectCategory=user)"
    Connecting to "mainadserver"
    Logging in as current user using SSPI
    Exporting directory to file c:\users\lanadmin\documents\OUTPUT.LDF
    Searching for entries...
    Writing out entries......................
    22 entries exported

    The command has completed successfully

    C:\>
    The output from above command is sent to the "OUTPUT.LDF" file and looks something like this.
    dn: CN=Administrator,CN=Users,DC=MAIN,DC=local
    changetype: add
    whenChanged: 20190127094621.0Z
    whenCreated: 20190127091637.0Z

    dn: CN=Guest,CN=Users,DC=MAIN,DC=local
    changetype: add

    dn: CN=DefaultAccount,CN=Users,DC=MAIN,DC=local
    changetype: add

    dn: CN=John,CN=Users,DC=MAIN,DC=local
    changetype: add
    whenChanged: 20190127094621.0Z
    whenCreated: 20190127091637.0Z
    ...
    Note that the output file has to be located in a folder you can write to. Unless you do bad things the "C:" as a destination is a no-go.

    Needless to say you can do a ton with these commands. Now you have seen them and you can start to explore the true power of what they can do.
    Sorry for all the newlines but Microsoft seems to be very fond of them and I wanted the output to be real so I didn't remove any of them.

    Links: https://www.varonis.com/blog/fsmo-roles/
    Certified Security Geek
    Tags: active directory, dsquery, ldifde, netdom, powershell
Previous template Next
Working...
X

We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

I Agree