👨‍💻AD Groups

Domain Group

Get-DOmainGroup

Code

Get-DomainGroup -Properties Name

High-value Targets

Exchange Trusted Subsystem
Exchange Windows Permissions

Other Groups

Protected Users
LAPS Admins
Help Desk
Security Operations

Get-DomainGroupMember

Code

Get-DomainGroupMember -Identity 'Help Desk'

Protected Groups

Code

Get-DomainGroup -AdminCount

Protected AD groups with the AdminCount attribute set to 1

Managed Security Groups

Code

Find-ManagedSecurityGroups | select GroupName

These groups have delegated non-administrators the right to add members to AD security groups and distribution groups and is set by modifying the managedBy attribute.

Security Operations Group

Code

Get-DomainManagedSecurityGroup

Enumerating ACLs

Code

$sid = ConvertTo-SID joe.evans

Get-DomainObjectAcl -Identity 'Security Operations' | ?{ $_.SecurityIdentifier -eq $sid}

Local Groups

Code

Get-NetLocalGroup -ComputerName WS01 | select GroupName

Get-NetLocalGroupMember

Code

Get-NetLocalGroupMember -ComputerName WS01

Check for non-RID 500 users
Convert-SidToName

Example

PS C:\htb> $sid = Convert-NameToSid harry.jones
PS C:\htb> $computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname
PS C:\htb> foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ? {$_.SID -eq $sid}}

ComputerName : WS01.INLANEFREIGHT.LOCAL
GroupName    : Administrators
MemberName   : INLANEFREIGHT\harry.jones
SID          : S-1-5-21-2974783224-3764228556-2640795941-2040
IsGroup      : False
IsDomain     : True

PreviousAD Users NextAD Computers

Last updated 3 years ago