aboutsummaryrefslogtreecommitdiff
path: root/docs/Recon/Get-DomainUser.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Recon/Get-DomainUser.md')
-rwxr-xr-xdocs/Recon/Get-DomainUser.md426
1 files changed, 426 insertions, 0 deletions
diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md
new file mode 100755
index 0000000..7247a1d
--- /dev/null
+++ b/docs/Recon/Get-DomainUser.md
@@ -0,0 +1,426 @@
+# Get-DomainUser
+
+## SYNOPSIS
+Return all users or specific user objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty
+
+## SYNTAX
+
+### AllowDelegation (Default)
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+### DisallowDelegation
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all user objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUser -Domain testlab.local
+```
+
+Return all users for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
+```
+
+Return the user with the given SID, as well as Administrator.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
+```
+
+lastlogoff samaccountname
+---------- --------------
+12/31/1600 4:00:00 PM dfm.a
+12/31/1600 4:00:00 PM dfm
+12/31/1600 4:00:00 PM harmj0y
+12/31/1600 4:00:00 PM Administrator
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation
+```
+
+Search the specified OU for privileged user (AdminCount = 1) that allow delegation
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+```
+
+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+
+### -------------------------- EXAMPLE 7 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))
+
+distinguishedname
+-----------------
+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+Also accepts DOMAIN\user format.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SPN
+Switch.
+Only return user objects with non-null service principal names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminCount
+Switch.
+Return users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllowDelegation
+Switch.
+Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: AllowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisallowDelegation
+Switch.
+Return user accounts that are marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: DisallowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KerberosPreuthNotRequired
+Switch.
+Return user accounts with "Do not require Kerberos preauthentication" set.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+## OUTPUTS
+
+### PowerView.User
+
+Custom PSObject with translated user property fields.
+
+PowerView.User.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 18:56:37 +0000