Get-NetUser

# Users
Get-NetUser #Get users with several (not all) properties
Get-NetUser | select -ExpandProperty samaccountname #List all usernames
Get-NetUser -UserName student107 #Get info about a user
Get-NetUser -properties name, description #Get all descriptions
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter

# Users Filters
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation

#Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess –Verbose


#Find local admins on all machines of the domain 
#(needs administrator privs on non-dc machines).
Invoke-EnumerateLocalAdmin –Verbose


#Find computers where a domain admin (or specified user/group) has sessions:
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


#To confirm admin access
Invoke-UserHunter -CheckAccess


Find computers where a domain admin is logged-in.
Invoke-UserHunter -Stealth

PreviousSetting Up PowerView NextGet-NetGroup

Last updated 2 years ago

More