Use the following to perform an LDAP query against the primary domain controller if you don’t have a tool (e.g., bloodhound, ldapsearch, etc):

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
 
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
 
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
 
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368" # 0x30000000 / user; or use objectClass=user
# $Searcher.filter="name=Jeff_Admin"
# $Searcher.filter="memberof=CN=Domain Admins,CN=Users,DC=corp,DC=com"
$Result = $Searcher.FindAll()
 
Foreach($obj in $Result) {
    Foreach($prop in $obj.Properties) {
        $prop
    }
    Write-Host "------------------------"
}
 

samAccountType:

SAM_DOMAIN_OBJECT              0x0
SAM_GROUP_OBJECT               0x10000000
SAM_NON_SECURITY_GROUP_OBJECT  0x10000001
SAM_ALIAS_OBJECT               0x20000000
SAM_NON_SECURITY_ALIAS_OBJECT  0x20000001
SAM_USER_OBJECT                0x30000000
SAM_MACHINE_ACCOUNT            0x30000001
SAM_TRUST_ACCOUNT              0x30000002
SAM_APP_BASIC_GROUP            0x40000000
SAM_APP_QUERY_GROUP            0x40000001