Domains Enumeration: Active Directory

Domains Enumeration: Active Directory

How to List All Active Directory Domains


2 min read

In this tutorial, we will learn steps to start our journey on Active Directory enumeration, first step is to enumerate information about the Domain.

Then we will extract information about the Users, Computers, Domain Administrators, Enterprise Administrators, and network shares.

Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.


Importing PowerView

Enumerate Domain Information

Active Directory Enumeration 1024x648 1

Get current Domain


Get an object from another domain

Get-NetDomain -Domain popdev.local

Get domain SID from the current domain



Domain Passwords policies

(Get-DomainPolicy)."system access"

Kerberos Policies

(Get-DomainPolicy)."Kerberos Policy"

Domain Users Enumeration

Get a list of all usernames inside the domain and their properties


Get-NetUser - Username rfs


Check if there is any password on the description field

Find-UserField -SearchFieldId Description -SearchTerm "pass"

Network Information Enumeration

Computer Information


Get-NetComputer -FullData

Get-NetComputer -Ping

Groups Information

What groups exist in the system?


Get-NetGroup -Domain dc01.poplabsec.local

Get-NetGroup -FullData

Get-NetGroup 'Domain Admins ' -FullData

Get-NetGroup -GroupName'admin'

Get-NetGroup -GroupName'admin' -Domain poplasec.local

Who is inside the Group?

Remember can be usernames or other groups

Get-NetGroupMember -GroupName'Domain Admins'

Get-NetGroupMember -GroupName'Domain Admins' -Recurse

Get-NetLocalGroup -ComputerName dc01.polabsec.local -Recurse

Get-NetLoggedon -ComputerName

Get-NetLoggedon -ComputerName

Get-NetLoggedonLocal -ComputerName

Get-LastLoggedonOn -ComputerName

Find network shares in the current Domain

Invoke-ShareFinder -Verbose

Invoke-FileFinder -Verbose

Get all file servers inside the current domain