You find below a bunch of commands to help you in some tasks. I have a A LOT more commands in my bag, so, feel free to ask me in the comments if you need something related to AD/Windows.

Get computer information (model, RAM, etc.)

wmic computersystem get Model,Name,Manufacturer,SystemType,TotalPhysicalMemory,PrimaryOwnerName

Get all domain controllers in a domain – CMD

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

Get all domain controller in a domain – PowerShell

(Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } | Select Name

Get space disk (change C: value for another disk)

Get-WmiObject Win32_LogicalDisk -ComputerName remotecomputer -Filter "DeviceID='C:'" | Foreach-Object {$_.Size,$_.FreeSpace}

Get all global catalogs servers – CMD

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs.Name

Get all global catalogs servers – DNS

nslookup -querytype=SRV _gc._tcp.<domain.com>

Get all global catalogs servers – PowerShell

(Get-ADForest domain.com).GlobalCatalogs

Get AD forest functionnal level – CMD

dsquery * "CN=Partitions,CN=Configuration,DC=domain,DC=com" -scope base -attr msDS-Behavior-Version
Compare with https://msdn.microsoft.com/en-us/library/cc223742.aspx

Get AD forest functionnal level – PowerShell

Get-ADForest | Select Name, ForestMode
Compare with https://msdn.microsoft.com/en-us/library/cc223742.aspx

Get AD domain functionnal level – CMD

dsquery * "DC=domain,DC=com" -scope base -attr msDS-Behavior-Version ntMixedDomain
Compare with https://msdn.microsoft.com/en-us/library/cc223743.aspx

Get AD domain functionnal level – PowerShell

Get-ADDomain| Select Name, DomainMode
Compare with https://msdn.microsoft.com/en-us/library/cc223743.aspx

Get AD schema version – CMD

dsquery * "CN=Schema,CN=Configuration,DC=domain,DC=com" -scope base -attr objectVersion
or
schupgr

Get AD schema version – PowerShell

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Get all DNS servers

nslookup -querytype=NS <domain.com>

Get all installed software – via sysinternals

\\live.sysinternals.com\tools\Psinfo.exe -s /accepteula > %userprofile%\Desktop\_psinfo.txt

Get all installed software on remote computer – via sysinternals

\\live.sysinternals.com\tools\Psinfo.exe -s /accepteula \\computername > %userprofile%\Desktop\remote_psinfo.txt

Get the DistinguishedName (DN) of the current computer

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" | find /i "OU="

Open Active Directory Users and Computers console on another domain

runas /netonly /user:domain\administrator "mmc dsa.msc /server=<IPAddress>"

Get Active Directory Domain creation date

Get-ADObject -SearchBase (Get-ADForest).PartitionsContainer -LDAPFilter "(&(objectClass=crossRef)(systemFlags=3))" -Property dnsRoot, nETBIOSName, whenCreated | Sort-Object whenCreated | Format-Table dnsRoot, nETBIOSName, whenCreated -AutoSize

Run a remote gpresult

.\PsExec.exe -accepteula \computer gpresult /R /user:domain\name /p
Note: only the computer gpresult will be returned if you don’t fill the user

Check if Active Directory Certificate Services exists – CMD

certutil -dump
or
certutil -config - -ping

Check if Active Directory Certificate Services exists – AD

Check the Users\Cert Publishers AD group

Check if Active Directory Certificate Services exists – graphical

Run AD Sites and Services (dssite.msc) > View > Show services node
Then Services > Public Key Services > Certification Authorities

Check if Active Directory Certificate Services exists – ADSIedit

Run adsiedit.msc. Connect to Configuration partition > Services -> Public Key Services -> Enrollment Services

Get all certificates from the ADCS – CMD

Certutil -view -out "Requesterame,NotAfter,NotBefore,CertificateTemplate"

Leave a Reply

Close Menu