During many penetration tests (or red versus blue team exercises), I have found myself with the need to investigate users, groups, computers and policies of a Windows domain. To do that, I have developed a series of PowerShell scripts that dump all that information from Active Directory into XML files.
Created
July 25, 2021 06:14
-
-
Save Oyonax/345d40cc3500ed2c89b079b965faacc0 to your computer and use it in GitHub Desktop.
Active Directory Information Dump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dump-Computers -DomainFile domains.xml -ResultFile computers.xml -DNSResolve |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Domains> | |
| <Start Time="2016-10-03T13:42:15.8719020Z" /> | |
| <Domain Name="SERIALIZING_LOCAL" DNS="serializing.local"> | |
| <Computer Name="wnddc01.serializing.local" Identifier="S-1-5-21-815321168-1961664571-58983674-10001" Description="Domain Controller" DN="CN=WNDDC01,OU=Domain Controllers,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:15:23.0000000Z"> | |
| <OS Name="Windows Server 2012 R2 Standard" Version="6.3 (9600)" /> | |
| <Addresses> | |
| <Address Value="10.0.0.1" /> | |
| </Addresses> | |
| </Computer> | |
| <Computer Name="wnddkp01.serializing.local" Identifier="S-1-5-21-815321168-1961664571-58983674-10021" Description="Windows Desktop" DN="CN=WNDDKP01,OU=Computers,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T13:38:20.0000000Z" Changed="2016-10-03T09:22:19.0000000Z"> | |
| <OS Name="Windows 7" Version="6.1 (7601)" Patch="Service Pack 1" /> | |
| <Addresses> | |
| <Address Value="10.0.0.10" /> | |
| </Addresses> | |
| </Computer> | |
| </Domain> | |
| <End Time="2016-10-03T13:43:47.0784943Z" /> | |
| </Domains> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dump-Domains -DomainFile domains.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Domains> | |
| <Start Time="2016-10-03T13:39:02.4430069Z" /> | |
| <Domain Name="SERIALIZING_LOCAL" DNS="serializing.local" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-03T12:30:42.0000000Z"> | |
| <Trusted Name="SERIALIZING_ME" DNS="serializing.me" /> | |
| </Domain> | |
| <End Time="2016-10-03T13:39:02.5130139Z" /> | |
| </Domains> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Domains> | |
| <Start Time="2016-10-03T08:02:01.7690660Z" /> | |
| <Domain Name="SERIALIZING_LOCAL" DNS="serializing.local"> | |
| <Group Name="Enterprise Read-only Domain Controllers" Identifier="S-1-5-21-815321168-1961664571-58983674-498" Description="Members of this group are Read-Only Domain Controllers in the enterprise" DN="CN=Enterprise Read-only Domain Controllers,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z" /> | |
| <Group Name="Domain Admins" Identifier="S-1-5-21-815321168-1961664571-58983674-512" Description="Designated administrators of the domain" DN="CN=Domain Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-09-07T07:49:21.0000000Z"> | |
| <MemberOf DN="CN=Administrators,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| </Group> | |
| <Group Name="Domain Users" Identifier="S-1-5-21-815321168-1961664571-58983674-513" Description="All domain users" DN="CN=Domain Users,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-07-07T11:57:38.0000000Z"> | |
| <MemberOf DN="CN=Authorized Terminal Server Users,OU=Groups,DC=SERIALIZING,DC=LOCAL" /> | |
| <MemberOf DN="CN=Users,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| </Group> | |
| <Group Name="Domain Guests" Identifier="S-1-5-21-815321168-1961664571-58983674-514" Description="All domain guests" DN="CN=Domain Guests,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z"> | |
| <MemberOf DN="CN=Guests,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| </Group> | |
| <Group Name="Domain Computers" Identifier="S-1-5-21-815321168-1961664571-58983674-515" Description="All workstations and servers joined to the domain" DN="CN=Domain Computers,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2006-02-06T12:13:29.0000000Z" Changed="2016-10-02T12:07:27.0000000Z" /> | |
| <Group Name="Domain Controllers" Identifier="S-1-5-21-815321168-1961664571-58983674-516" Description="All domain controllers in the domain" DN="CN=Domain Controllers,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z"> | |
| </Group> | |
| <Group Name="Schema Admins" Identifier="S-1-5-21-815321168-1961664571-58983674-518" Description="Designated administrators of the schema" DN="CN=Schema Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-09-07T07:49:21.0000000Z"> | |
| </Group> | |
| <Group Name="Enterprise Admins" Identifier="S-1-5-21-815321168-1961664571-58983674-519" Description="Designated administrators of the enterprise" DN="CN=Enterprise Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-09-07T07:49:21.0000000Z"> | |
| <MemberOf DN="CN=Administrators,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| </Group> | |
| <Group Name="Group Policy Creator Owners" Identifier="S-1-5-21-815321168-1961664571-58983674-520" Description="Members in this group can modify group policy for the domain" DN="CN=Group Policy Creator Owners,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z"> | |
| </Group> | |
| <Group Name="Read-only Domain Controllers" Identifier="S-1-5-21-815321168-1961664571-58983674-521" Description="Members of this group are Read-Only Domain Controllers in the domain" DN="CN=Read-only Domain Controllers,CN=Users,DC=SERIALIZING,DC=LOCAL" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z"> | |
| </Group> | |
| </Domain> | |
| <End Time="2016-10-03T08:02:12.4230389Z" /> | |
| </Domains> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Domains> | |
| <Start Time="2016-10-03T08:16:16.7320028Z" /> | |
| <Domain Name="SERIALIZING_LOCAL" DNS="serializing.local"> | |
| <GroupPolicy GUID="{31B2F340-016D-11D2-945F-00C04FB984F9}" Name="DEFAULT DOMAIN POLICY" Path="\\SERIALIZING.LOCAL\sysvol\SERIALIZING.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}" Version="1" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z" /> | |
| <GroupPolicy GUID="{6AC1786C-016F-11D2-945F-00C04FB984F9}" Name="DEFAULT DOMAIN CONTROLLERS POLICY" Path="\\SERIALIZING.LOCAL\sysvol\SERIALIZING.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}" Version="1" Created="2016-10-02T12:07:27.0000000Z" Changed="2016-10-02T12:07:27.0000000Z" /> | |
| </Domain> | |
| <End Time="2016-10-03T08:16:18.0181314Z" /> | |
| </Domains> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Domains> | |
| <Start Time="2016-09-03T08:05:45.5014054Z" /> | |
| <Domain Name="SERIALIZINGLOCAL" DNS="serializing.local"> | |
| <User Name="Administrator" Identifier="S-1-5-21-815321168-1961664571-58983674-500" Description="Built-in account for administering the computer/domain" DN="CN=Administrator,OU=Domain Administration,OU=Users,DC=SERIALIZING,DC=LOCAL" Locked="False" Disabled="False" NoPasswordRequired="False" CanChangePassword="True" PasswordDoesntExpire="True" ExpiredPassword="False" Created="2016-10-02T12:07:28.0000000Z" Changed="2016-09-02T14:09:58.0000000Z"> | |
| <MemberOf DN="CN=Administrators,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| <MemberOf DN="CN=Domain Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" /> | |
| <MemberOf DN="CN=Enterprise Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" /> | |
| <MemberOf DN="CN=Group Policy Creator Owners,CN=Users,DC=SERIALIZING,DC=LOCAL" /> | |
| <MemberOf DN="CN=Schema Admins,OU=Administrative,OU=Groups,DC=SERIALIZING,DC=LOCAL" /> | |
| </User> | |
| <User Identifier="S-1-5-21-815321168-1961664571-812641168-501" Description="Built-in account for guest access to the computer/domain" DN="CN=Guest,CN=Users,DC=SERIALIZING,DC=LOCAL" Locked="False" Disabled="True" NoPasswordRequired="True" CanChangePassword="True" PasswordDoesntExpire="True" ExpiredPassword="False" Created="2016-10-02T12:07:28.0000000Z" Changed="2016-09-02T12:52:13.0000000Z"> | |
| <MemberOf DN="CN=Guests,CN=Builtin,DC=SERIALIZING,DC=LOCAL" /> | |
| </User> | |
| </Domain> | |
| <End Time="2016-09-03T08:06:08.6259371Z" /> | |
| </Domains> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment