Use the following to perform an LDAP query against the primary domain controller if you don’t have a tool (e.g., bloodhound, ldapsearch, etc): $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab") $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" # 0x30000000 / user; or use objectClass=user # $Searcher.filter="name=Jeff_Admin" # $Searcher.filter="memberof=CN=Domain Admins,CN=Users,DC=corp,DC=com" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } Write-Host "------------------------" } samAccountType: SAM_DOMAIN_OBJECT 0x0 SAM_GROUP_OBJECT 0x10000000 SAM_NON_SECURITY_GROUP_OBJECT 0x10000001 SAM_ALIAS_OBJECT 0x20000000 SAM_NON_SECURITY_ALIAS_OBJECT 0x20000001 SAM_USER_OBJECT 0x30000000 SAM_MACHINE_ACCOUNT 0x30000001 SAM_TRUST_ACCOUNT 0x30000002 SAM_APP_BASIC_GROUP 0x40000000 SAM_APP_QUERY_GROUP 0x40000001