Adfind 常用命令
2022-03-14 17:32:30
下载地址
http://www.joeware.net/freetools/tools/adfind/index.htm
常用命令
查找受 AD 保护的域中的所有用户
Adfind.exe -b DC=domain,DC=com -f "&(objectcategory=person)(samaccountname=*)(admincount=1)" -dn查找域中受 AD 保护的所有组
Adfind.exe -b DC=domain,DC=com -f "&(objectcategory=group)(admincount=1)" -dn查看域管账户
AdFind -default -f "(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))" -dn列出域控制器名称
Adfind.exe -sc dclist查看域控版本
Adfind.exe -schema -s base objectversion查看域内在线的计算机
AdFind.exe -sc computers_active name operatingSystem查看域内 GPO 信息
Adfind.exe -sc gpodmp非约束委派
查询用户
AdFind.exe -b "DC=merak,DC=local" -f "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName查询主机
AdFind.exe -b "DC=merak,DC=local" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName约束委派
查询用户
AdFind.exe -b "DC=merak,DC=local" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto查询主机
AdFind.exe -b "DC=merak,DC=local" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto查看域内高权限的 SPN 服务主体名称
Adfind.exe -b "dc=merak,dc=local" -f "&(servicePrincipalName=*)(admincount=1)" servicePrincipalName查看可 AS-REP Roasting 用户
Adfind.exe -b "dc=merak,dc=local" -f "useraccountcontrol:1.2.840.113556.1.4.803:=4194304" -dn导出整个域的 ACL
Adfind.exe -sc getacls -sddlfilter ;;;;; -recmute