How to enumerate Active Directory domains using PowerShell

How to enumerate Active Directory domains using PowerShell

Active Directory (AD) is the backbone of many organizations, serving as a centralized system for managing users, computers, and resources. As a system administrator, being able to enumerate and query AD is a fundamental skill. In this comprehensive guide, we'll explore how to use PowerShell to enumerate an Active Directory domain effectively. We'll cover basic enumeration, advanced techniques, use cases, and provide practical scripts to streamline your AD management tasks.

Why Enumerate Active Directory?

Active Directory enumeration involves querying and retrieving information about the domain's structure, users, groups, and more. Understanding the benefits of AD enumeration is crucial:

  1. Inventory Management: Keep track of users, groups, computers, and organizational units (OUs) in your domain.
  2. User Account Management: Quickly find and manage user accounts, reset passwords, and view account details.
  3. Group Management: List, add, or remove users from groups, helping to manage permissions and access.
  4. Computer Management: Retrieve information about computers in the domain, such as OS version and last login time.
  5. Security Auditing: Identify security vulnerabilities, such as unused or stale accounts, and take necessary actions.

Prerequisites

Before we delve into Active Directory enumeration, ensure you have the following:

  1. PowerShell: PowerShell is pre-installed on modern Windows systems. Ensure you have at least PowerShell 3.0 or higher, which provides cmdlets for AD operations.
  2. Domain Administrator Privileges: To perform certain AD operations, you need domain administrator or equivalent privileges.
  3. Active Directory Module: Import the Active Directory module using the following command:powershellCopy codeImport-Module ActiveDirectory

Basic Active Directory Enumeration

1. List All User Accounts

To list all user accounts in the domain, you can use the Get-ADUser cmdlet:

  1. Get-ADUser -Filter *

This command retrieves all user accounts and displays essential information like name, username, and email address.

2. List All Groups

To list all groups in the domain, you can use the Get-ADGroup cmdlet:

  1. Get-ADGroup -Filter *

This command retrieves all groups and displays their names and descriptions.

3. List All Computers

To list all computers in the domain, you can use the Get-ADComputer cmdlet:

  1. Get-ADComputer -Filter *

This command retrieves all computers and displays their names and operating systems.

4. List All Organizational Units (OUs)

To list all OUs in the domain, you can use the Get-ADOrganizationalUnit cmdlet:

  1. Get-ADOrganizationalUnit -Filter *

This command retrieves all OUs and displays their names.

Advanced Active Directory Enumeration Techniques

1. Filter and Select Specific Properties

You can filter and select specific properties when enumerating AD objects. For example, to retrieve only the usernames and email addresses of users:

  1. Get-ADUser -Filter * -Properties SamAccountName, EmailAddress | Select-Object SamAccountName, EmailAddress

This command fetches user accounts and displays only the specified properties.

2. Search for Specific Objects

You can use filters to search for specific objects in AD. For example, to find all disabled user accounts:

  1. Get-ADUser -Filter {Enabled -eq $false}

This command retrieves user accounts where the Enabled property is false.

3. Export to CSV

Exporting AD data to a CSV file is useful for reporting and analysis. For example, to export all user accounts to a CSV file:

  1. Get-ADUser -Filter * | Export-Csv -Path C:\ADUsers.csv -NoTypeInformation

This command exports user account data to a CSV file without type information.

4. Manage Groups and Members

You can manage group memberships using PowerShell. For example, to add a user to a group:

  1. Add-ADGroupMember -Identity "GroupName" -Members "Username"

This command adds a user to a group by specifying the group name and the username.

Practical Use Cases

Use Case 1: Resetting Passwords

You can reset user passwords easily with PowerShell. For example, to reset a user's password to a temporary one:

  1. Set-ADAccountPassword -Identity "Username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempPassword" -Force)

This command resets the user's password to "TempPassword."

Use Case 2: Disabling Stale Accounts

To identify and disable stale user accounts that haven't been used for a specified period, you can use a script like this:

  1. $staleUsers = Get-ADUser -Filter {LastLogonDate -lt (Get-Date).AddDays(-90)}
  2. $staleUsers | ForEach-Object {
  3.     Disable-ADAccount -Identity $_
  4. }

This script disables user accounts that haven't logged in for 90 days.

Security and Best Practices

When working with Active Directory, adhere to these best practices:

  1. Least Privilege: Only grant necessary permissions to accounts for AD operations.
  2. Regular Auditing: Periodically audit AD for security vulnerabilities and compliance.
  3. Secure Credentials: Protect credentials when using scripts and automation.
  4. Backup: Regularly back up your Active Directory to avoid data loss.

Conclusion

PowerShell provides robust capabilities for enumerating and managing Active Directory domains. With the knowledge and techniques outlined in this guide, you can efficiently enumerate AD objects, perform management tasks, and maintain a secure and well-organized Active Directory environment. Whether you need to perform routine user management, security audits, or complex scripting, PowerShell is an indispensable tool for every system administrator.