From 0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:05:08 -0500 Subject: first take at platyPS doc generation --- docs/Recon/Get-DomainUser.md | 426 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 426 insertions(+) create mode 100755 docs/Recon/Get-DomainUser.md (limited to 'docs/Recon/Get-DomainUser.md') diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md new file mode 100755 index 0000000..7247a1d --- /dev/null +++ b/docs/Recon/Get-DomainUser.md @@ -0,0 +1,426 @@ +# Get-DomainUser + +## SYNOPSIS +Return all users or specific user objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +### AllowDelegation (Default) +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +### DisallowDelegation +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all user objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser -Domain testlab.local +``` + +Return all users for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" +``` + +Return the user with the given SID, as well as Administrator. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff +``` + +lastlogoff samaccountname +---------- -------------- +12/31/1600 4:00:00 PM dfm.a +12/31/1600 4:00:00 PM dfm +12/31/1600 4:00:00 PM harmj0y +12/31/1600 4:00:00 PM Administrator + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation +``` + +Search the specified OU for privileged user (AdminCount = 1) that allow delegation + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +Get-DomainUser dev\user1 -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1))) + +distinguishedname +----------------- +CN=user1,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. +Also accepts DOMAIN\user format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SPN +Switch. +Only return user objects with non-null service principal names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowDelegation +Switch. +Return user accounts that are not marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: AllowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisallowDelegation +Switch. +Return user accounts that are marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: DisallowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KerberosPreuthNotRequired +Switch. +Return user accounts with "Do not require Kerberos preauthentication" set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +## OUTPUTS + +### PowerView.User + +Custom PSObject with translated user property fields. + +PowerView.User.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3