Use the following to perform an LDAP query against the primary domain controller if you don’t have a tool (e.g., bloodhound, ldapsearch, etc):
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368" # 0x30000000 / user; or use objectClass=user
# $Searcher.filter="name=Jeff_Admin"
# $Searcher.filter="memberof=CN=Domain Admins,CN=Users,DC=corp,DC=com"
$Result = $Searcher.FindAll()
Foreach($obj in $Result) {
Foreach($prop in $obj.Properties) {
$prop
}
Write-Host "------------------------"
}
samAccountType:
SAM_DOMAIN_OBJECT 0x0
SAM_GROUP_OBJECT 0x10000000
SAM_NON_SECURITY_GROUP_OBJECT 0x10000001
SAM_ALIAS_OBJECT 0x20000000
SAM_NON_SECURITY_ALIAS_OBJECT 0x20000001
SAM_USER_OBJECT 0x30000000
SAM_MACHINE_ACCOUNT 0x30000001
SAM_TRUST_ACCOUNT 0x30000002
SAM_APP_BASIC_GROUP 0x40000000
SAM_APP_QUERY_GROUP 0x40000001