-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathactive directory one-liners.txt
278 lines (187 loc) · 11.3 KB
/
active directory one-liners.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
# List all Domain Controllers
Nltest /dclist:%userdnsdomain%
# List stale computer accounts
dsquery computer domainroot -stalepwd 180 -limit 0
# List stale user accounts
dsquery user domainroot -stalepwd 180 -limit 0
# List disabled user accounts
dsquery user domainroot -disabled -limit 0
# AD Database disk usage
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do dir \\%i\admin$\ntds
# Global Catalog Servers from DNS
dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp | find /i "3268"
# Global Catalog Servers from AD
dsquery * "CN=Configuration,DC=forestRootDomain" -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"
# Users with no logon script
dsquery * domainroot -filter"(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))"-limit 0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName
# User accounts with no pwd required
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"
# User accounts with no pwd expiry
dsquery * domainroot -filter"(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
# User accounts that are disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"
# DNS Information
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do dnscmd %i /info
# DNS Zone Detailed information
dnscmd /zoneinfo %userdnsdomain%
# Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=WindowsNT,cn=Services,cn=Configuration,DC=forestRootDomain" -attrgarbageCollPeriod tombstoneLifetime
# List authorised DHCP Servers
netsh dhcp show server
# DSQuery version of list authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers
# DHCP server information
netsh dhcp server \\DHCP_SERVER show all
# DHCP server dump
netsh dhcp server \\DHCP_SERVER dump
# WINS server information
Netsh wins server \\WINS_SERVER dump
# Group Policy Verification Tool
gpotool.exe /checkacl /verbose
# AD OU membership
dsquery computer -limit 0
# AD OU membership
dsquery user -limit 0
# List Service Principal Names
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do setspn -L %i
# List Domain Controller IP Configuration (requires psexec.exe from Sysinternals/Microsoft)
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do psexec \\%i ipconfig /all
# List DC FSMO Roles
ntdsutilroles Connections "Connect to server %logonserver%" Quit "selectOperation Target" "List roles for conn server" Quit Quit Quit
[JDH: This is really a series of steps, not a single command
expression]
# Check AD ACLs
acldiag dc=domainTree
# NTFRS Replica Sets
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do ntfrsutl sets %i
# NTFRS DS View
for /f %i in ("dsquery server -domain %userdnsdomain% -o rdn") do ntfrsutl ds %i
# Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter (objectCategory=Server)
# DNS Zones in AD
for /f %i in ("dsquery server -o rdn") do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)
# Enumerate DNS Server Zones
for /f %i in ("dsquery server -o rdn") do dnscmd %i /enumzones
# Subnet information
Dsquery subnet ?limit 0
# List Organisational Units
Dsquery OU
# ACL on all OUs
For /f "delims=|" %i in ("dsquery OU") do acldiag %i
# Domain Trusts
nltest /domain_trusts /v
# Print DNS Zones
dnscmd DNSServer /zoneprint DNSZone
# List active DHCP leases against a list of DHCP servers specified in DHCPServers.txt
For /f %i in (DHCPServers.txt) do for /f "delims=- " %j in (""netshdhcp server \\%i show scope | find /i "active""") do netsh dhcp server\\%i scope %j show clientsv5
# DHCP Server Active Scope Info
For /f %i in (DHCPServers.txt) do netsh dhcp server \\%i show scope | find /i "active"
# Resolve DHCP clients hostnames
for /f "tokens=1,2,3 delims=," %i in (Output from "Find Subnets fromDHCP clients") do @for /f "tokens=2 delims=: " %m in (""nslookup %j |find /i "Name:""") do echo %m,%j,%k,%i
# Find two online PCs per subnet
Echo. > TwoClientsPerSubnet.txt & for /f "tokens=1,2,3,4delims=, " %i in (""find /i "pc" "Output from Resolve DHCP clientshostnames""") do for /f "tokens=3 skip=1 delims=: " %m in (""Find /i /c"%l" TwoClientsPerSubnet.txt"") do If %m LEQ 1 for /f %p in (""ping -n1 %i | find /i /c "(0% loss""") do If %p==1 Echo %i,%j,%k,%l
# AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn siteObject description location
# AD Site Information
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)
# Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0
# Group Membership with user details
dsget group "groupDN" -members | dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr
# Total DHCP Scopes
find /i "subnet" "Output from DHCP server information" | find /i "subnet"
# List domain site Links and Cost
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)
# Check local system time against Domain time
w32tm /monitor /computers:ForestRootPDC
# Domain Controller Diagnostics
dcdiag /s:%logonserver% /v /e /c
# Domain Replication Bridgeheads
repadmin /bridgeheads
# Replication Failures from KCC
repadmin /failcache
# Inter-site Topology servers per site
Repadmin /istg * /verbose
# Replication latency
repadmin /latency /verbose
# Queued replication requests
repadmin /queue *
# Show connections for a DC
repadmin /showconn *
# Replication summary
Repadmin /replsummary
# Show replication partners
repadmin /showrepl * /all
# All DCs in the forest
repadmin /viewlist *
# ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator
# Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site | dsquery * -attr * -filter "(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"
# Find all connection objects
dsquery * forestRoot -filter (objectCategory=nTDSConnection) ?attr distinguishedName fromServer whenCreated displayName
# Find all connection schedules
adfind -b "cn=Configuration,dc=qraps,dc=com,dc=au" -f "objectcategory=ntdsConnection" cn Schedule -csv
# Software Information for each server, requires psinfo from Microsoft/Sysinternals
for /f %i in (Output from "Domain Controllers") do psinfo \\%i &filever \\%i\admin$\explorer.exe \\%i\admin$\system32\vbscript.dll\\%i\admin$\system32\kernel32.dll \\%i\admin$\system32\wbem\winmgmt.exe\\%i\admin$\system32\oleaut32.dll
# Check Terminal Services Delete Temp on Exit flag
For /f %i in (Output from "Domain Controllers") do Reg query"\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v DeleteTempDirsOnExit
# For each XP workstation, query the current site and what Group Policy info
@dsquery * domainroot -filter"(&(objectCategory=Computer)(operatingSystem=Windows XPProfessional))" -limit 0 -attr cn > Workstations.txt & @For /f%i in (Workstations.txt) do @ping %i -n 1 >NUL & @if ErrorLevel0 If NOT ErrorLevel 1 @Echo %i & for /f "tokens=3" %k in (""regquery "\\%i\hklm\software\microsoft\windows\currentversion\grouppolicy\history" /v DCName | Find /i "DCName""") do @for /f %m in(""nltest /server:%i /dsgetsite | find /i /v "completedsuccessfully""") do @echo %i,%k,%m
# Information on existing GPOs
dsquery * "CN=Policies,CN=System,domainRoot" -filter"(objectCategory=groupPolicyContainer)" -attr displayName cnwhenCreated gPCFileSysPath
# Copy all Group Policy .pol files
for /f "tokens=1-8 delims=\" %i in ("dir /b /s\\%userdnsdomain%\sysvol\%userdnsdomain%\policies\*.pol") do @echo copy\\%i\%j\%k\%l\%m\%n\%o %m_%n.pol
# Domain Controller Netlogon entries
for /f %i in ("dsquery server /o rdn") do echo %i & reg query\\%i\hklm\system\currentcontrolset\services\netlogon\parameters
# WINS Statistics
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show statistics
# WINS Record counts per server
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show reccount %i
# WINS Server Information
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show info
# WINS Server Dump
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i dump
# WINS Static Records per Server
netsh wins server \\LocalWINSServer show database servers={} rectype=1
# Find policy display name given the GUID
dsquery * "CN=Policies,CN=System,DC=domainRoot" -filter (objectCategory=groupPolicyContainer) -attr Name displayName
# Find empty groups
dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0-attr whenCreated whenChanged groupType sAMAccountNamedistinguishedName memberOf
# Find remote NIC bandwidth
wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth
# Find remote free physical memory
wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory
# Find remote system information
SystemInfo /s %Computer%
# Disk statistics, including the number of files on the filesystem
chkdsk /i /c
# Query IIS web sites
iisweb /s %Server% /query "Default Web Site"
# Check port state and connectivity
portqry -n %server% -e %endpoint% -v
# Forest/Domain Functional Levels
ldifde -d cn=partitions,cn=configuration,dc=%domain% -r"(|(systemFlags=3)(systemFlags=-2147483648))" -lmsds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -fcon
# Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,dc=%domain% -filter"(|(systemFlags=3)(systemFlags=-2147483648))" -attrmsDS-Behavior-Version
Name dnsroot ntmixeddomain NetBIOSName
# Find the parent of a process
wmic path Win32_Process WHERE Name="notepad.exe" GET Name,ParentProcessId
# Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}
# Find when the AD was installed
dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base
# Enumerate the trusts from the specified domain
dsquery * "CN=System,DC=domainRoot" -filter "(objectClass=trustedDomain)" -attr trustPartner flatName
# Find a DC for each trusted domain
for /f "skip=1" %i in (""dsquery * CN=System,DC=domainRoot -filter(objectClass=trustedDomain) -attr trustPartner"") do nltest /dsgetdc:%i
# Check the notification packages installed on all DCs
for /f %i in ("dsquery server /o rdn") do @for /f "tokens=4" %m in(""reg query\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v"Notification Packages" | find /i "Notification""") do @echo %i,%m
# List ACLs in SDDL format
setacl -on %filepath% -ot file -actn list -lst f:sddl
# Find out if a user account is currently enabled or disabled
dsquery user DC=%userdnsdomain:.=,DC=% -name %username% | dsget user -disabled -dn
# Find servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0
# Open DS query window
rundll32 dsquery,OpenQueryWindow