net user
net user /domain
net user username /domain
net group /domain
powershell -ep bypass
build the full LDAP ADspath,LDAP://hostname[:portnumber][/distinguishedName]
PDC,primary domain controller,PdcRoleOwner property.
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
DN,DistinguishedName,uniquely id and obj in AD,
$DN = ([adsi]”).distinguishedName
$LDAP = “LDAP://$PDC/$DN”
ADSI wrapper.
ADSI is a COM interface that ships with Windows,doesn’t require installing RSAT or the AD DS role
AD module isn’t present on client machines, get-aduser installed on DC by defaultas part of RSAT,rarely on clients.
([adsi]”).distinguishedName,[adsi]” defaults to the domain root,the top of the AD hierarchy for searches
$direntry = New-object System.DirectoryServices.DirectoryEntry($LDAP)
encap an obj in AD.can pass credentials to auth to domain.
$dirsearcher = New-object System.DirectoryServices.DirectorySearcher($direntry)
specify the ad service in thr form of ‘SearchRoot’ property.
$dirsearcher.findall()
setup a filter sift through attribute applied to all user,computer,group objs, samAccountType.
$dirsearcher.filter=”samAccountType=xxxxxxxxx”
encap to a function:
Import-Module xxx\adenum_2.ps1
FuncName -para “samAccountType=805306368”
objectClass vs. objectCategory
LDAP filters are written in Polish notation (prefix notation) — the operator goes first, then the conditions.e.g. (&(objectCategory=group)(cn=Domain Admins))