PowerView

#Enumerate local users
net user

#Enumerate Domain Users
net user /domain
net user <username> /domain

#Enumerate local groups
net localgroup
net localgroup <groupname>

#Get domain
systeminfo | findstr "Domain"

#Get Logon Server
systeminfo | findstr "Logon Server"

#https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
#Dot Source the .ps1
. C:\Path_To_Powerview\PowerView.ps1

#Get Current Domain:
Get-Domain
	
#Get Object of Another Domain:
Get-Domain -Domain <other_domain_name>
	
#Get Domain SID for Current Domain:
Get-DomainSID
	
#Get Domain Policy for Current Domain:
Get-DomainPolicyData
	
#Get Specified Domain Policy Attribute:
(Get-DomainPolicyData).<attribute_name> 
#Get Kerberos Policy. If forging a Golden Ticket w/Mimikatz match this policy - default Mimikatz TGT is 10 years. 
(Get-DomainPolicyData).Kerberospolicy
			
#Get Domain Policy for Another Domain:
Get-DomainPolicyData -Domain <domain_name>

#Get Domain Controllers for Current Domain:
Get-DomainController

#Get Domain Controllers for Another Domain:
Get-DomainController -Domain <other_domain_name>

#Get List of Users in Domain:
Get-DomainUser

#Get Information of Specified Domain User:
Get-DomainUser -Identity <identity>

#Get All Properties for Specified Domain User:
Get-DomainUser -Identity <identity> -Properties *

#Get Specified Properties for Specified Domain User. Can check "logoncount" attribute to identify decoy or stale account:
Get-DomainUser -Identity <identity> -Properties <attribute1>,<attribute2>

#Search for String in User's Attribute(s):
Get-DomainUser -LDAPFilter "Description=*<string>*" | Select <attribute1>,<attribute2>

#Get List of Computers in Current Domain:
Get-DomainComputer | Select Name

#Get List of Computers, Ping First:
Get-DomainComputer -Ping

#Get List of Filtered Computers in Current Domain:
Get-DomainComputer -OperatingSystem "*<string>*"

#Get All Groups in Current Domain:
Get-DomainGroup | select Name

#Get All Specified Groups in Current Domain:
Get-DomainGroup *<string>*

#Get All Groups in Specified Domain:
Get-DomainGroup -Domain <target_domain>

#Get All Members of Specified Group (Recursively):
Get-DomainGroupMember -Identity "<Group_Name>" -Recurse

#Get the Group Membership for a User:
Get-DomainGroup -Username "<username>"

#List All Local Groups on a Machine (Needs Admin Privs):
Get-NetLocalGroup -ComputerName <computer_name> -ListGroups

#Get Members of All Local Groups on a Machine (Need Admin Privs):
Get-NetLocalGroup -ComputerName <computer_name> -Recurse

#Get Members of Specified Local Group Name on a Machine (Needs Admin Privs):
Get-NetLocalGroupMember -ComputerName <computer_name> -GroupName <group_name>

#Get Actively Logged-On Users on Machine (Needs Admin Privs on Target):
Get-NetLoggedon -ComputerName <computer_name>

#Get Locally Logged Users on Machine (Needs Remote Registry on the Target):
Get-NetLoggedonLocal -ComputerName <computer_name>

#Get Last Logged Users on a Machine (Needs Admin Rights & Remote Registry):
Get-LastLoggedOn -ComputerName <computer_name>

#Find Shares on Hosts in Current Domain:
Invoke-ShareFinder -Verbose

#Find Sensitive Files on Computers in the Domain:
Invoke-FileFinder -Verbose

#Get All Fileservers of the Domain:
Get-NetFileServer

#Get All OUs in Current Domain:
Get-DomainOU

#Get OU GPLink Attribute:
Get-DomainOU | select name,gplink

#List All Objects in Specified OU:
(Get-DomainOU -Identity <OU_name>).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

#Get list of GPOs in Current Domain:
Get-DomainGPO

#Get list of GPOs Using Restricted Groups:
Get-DomainGPOLocalGroup

#List GPOs Applied to OU:
Get-DomainGPO -Identity "{OU_gplink_value}"

#Get Users in Local Group of a Machine:
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity <computer_identity> 

#Get Machines Where the Given User is a Member of Specific Group:
Get-DomainGPOUserLocalGroupMapping -Identity <username> -Verbose

#Get the ACLs Associated with Specified Object:
Get-DomainObjectACL - SamAccountName <samaccountname> -ResolveGUIDs

#Get the ACLs Associated with Specified Prefix for Searching:
Get-DomainObjectAcl -SearchBase "LDAP://<search_base>" -ResolveGUIDs -Verbose

#Search for Interesting ACEs (Requests all ACEs from the DC and lists Modify and GenericAll Rights):
Find-InterestingDomainAcl -ResolveGUIDs

#Get the ACLs Associated with Specified Path:
Get-PathACL -Path "<\\path..\\>"

#Get List of All Domain Trusts for Current Domain:
Get-DomainTrust -Domain <domain_name>

#Get Current Forest Details:
Get-Forest -Forest <forest_name>

#Get All Domains in Forest:
Get-ForestDomain -Forest <forest_name>

#Get All Global Catalogs for Forest:
Get-ForestGlobalCatalog -Forest <forest_name>

#Map Trusts of a Forest:
Get-ForestTrust -Forest <forest_name>

#Find All Machines in Current Domain Where Current User has Local Admin Access:
#Goes to DC and gets a list of computers, then goes to each machine and checks if the current user has local admin access.
Find-LocalAdminAccess -Verbose
#Use WMI and PS Remoting:
Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1

#Find Computers Where Specified User/Group Has Session(s):
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "<group name>"
Find-DomainUserLocation -UserIdentity "<username>"

#Find Computers Where a DA Session is Available and Current User has Admin Access:
Find-DomainUserLocation -CheckAccess

#Find Computers Where DA Session is Available:
Find-DomainUserLocation -Stealth