Skip to content

PowerShell AD Enumeration — Mental Model & Cheat Sheet

Goal: Safely enumerate Active Directory from a shell (Evil-WinRM / PowerShell)
Scope: Read-only confirmation, no exploitation
Use case: Translate vuln writeups → enumeration commands

Core Mental Model

PowerShell AD enumeration =

Get AD objects → filter → show properties

Most commands fit this pattern:

Get-ADThing -Filter / -LDAPFilter (...) -Properties ... | Select ...

If you don’t know the exact cmdlet → use Get-ADObject.

Universal Escape Hatch

Get-ADObject -LDAPFilter "(objectClass=*)"

  • Works for any AD object

  • Requires minimal PowerShell knowledge

  • Accepts LDAP filters (most reliable)

How to Think About a Query

Before writing a command, answer these:

  1. What object am I looking for?

    • user, computer, OU, service account, ACL, GPO

  2. What identifies it?

    • objectClass, name, attribute

  3. What do I care about seeing?

    • permissions, links, state, flags

  4. Am I confirming only?

    • If yes → read-only cmdlets only

Common AD Objects

Users

Get-ADUser -Filter * | Select Name

Computers

Get-ADComputer -Filter * | Select Name

Organizational Units (OUs)

Get-ADOrganizationalUnit -Filter * | Select DistinguishedName

Groups

Get-ADGroup -Filter * | Select Name

Searching by objectClass (Most Useful Skill)

Get-ADObject -LDAPFilter "(objectClass=CLASSNAME)"

Examples:

(objectClass=user) (objectClass=computer) (objectClass=organizationalUnit) (objectClass=group)

Showing Specific Attributes

Get-ADObject -LDAPFilter "(condition)" -Properties prop1,prop2 | Select prop1,prop2

Example:

Get-ADObject -LDAPFilter "(objectClass=user)" -Properties memberOf | Select DistinguishedName,memberOf

dMSA / BadSuccessor Confirmation (Read-Only)

Find delegated Managed Service Accounts (dMSAs)

Get-ADObject ` -LDAPFilter "(objectClass=msDS-DelegatedManagedServiceAccount)" ` -Properties msDS-ManagedAccountPrecededByLink,msDS-DelegatedMSAState

Attributes of interest

  • msDS-ManagedAccountPrecededByLink

    • Who the dMSA claims to have replaced

  • msDS-DelegatedMSAState

    • 2 = migration completed (dangerous)

Find Where an Object Lives (OU Path)

Get-ADObject -LDAPFilter "(objectClass=msDS-DelegatedManagedServiceAccount)" | Select DistinguishedName

Use the DN to identify the OU for permission checks.

Checking OU Permissions (No Changes)

Get-Acl "AD:OU=Service Accounts,DC=corp,DC=local" | Select -ExpandProperty Access

Dangerous permissions to look for

  • CreateChild

  • GenericAll

  • GenericWrite

  • WriteProperty

If your user (or group) has these → potential escalation path.

When Commands Fail

Load AD module (safe)

Import-Module ActiveDirectory

Check what AD cmdlets exist

Get-Command -Module ActiveDirectory

How to Ask Good Enumeration Questions

Use this format:

I am on a Windows shell
I want to find X
I care about Y attribute or permission
I want to confirm only, not exploit

Example:

“I want to find service accounts that inherit permissions from privileged users.”