Searching using the script

Save Below script as function.ps1

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    # Get the PDC (Primary Domain Controller) name
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name

    # Get the Distinguished Name of the current domain
    $DistinguishedName = ([adsi]'').distinguishedName

    # Create a new DirectoryEntry object for the LDAP search
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    # Create a DirectorySearcher object with the DirectoryEntry and LDAP query
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    # Execute the search and return the results
    return $DirectorySearcher.FindAll()
}

# Load the script using below command:
powershell -ep bypass
Import-Module .\function.ps1

# We can use script in below manner.
# To search for sam account type:
LDAPSearch -LDAPQuery "(samAccountType=805306368)"

# to list all the groups in the domain
LDAPSearch -LDAPQuery "(objectclass=group)"

# To enumerate every group available in the domain and also display the user members.
foreach ($group in $(LDAPSearch -LDAPQuery "objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}

# Output will remain same as above command output but it will be in beutified manner:
# Example:
$sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
$sales.properties.member
# using above command we can get list of members of particular group.

PreviousGeneral way NextUsing PowerView Tool to do enumeration

Last updated 1 year ago