> For the complete documentation index, see [llms.txt](https://blog.hacktive.bebzounette.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.hacktive.bebzounette.com/active-directory/untitled/enumeration/powerview.md).

# Powerview

{% tabs %}
{% tab title="Windows" %}
Though the below gives a good representation of the commands that usually come in most useful for me, this only scratches the surface of what PowerView can do. [PowerView ](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)is available here.

```powershell
# Get all users in the current domain
Get-DomainUser | select -ExpandProperty cn

# Get all computers in the current domain
Get-DomainComputer

# Get all domains in current forest
Get-ForestDomain

# Get domain/forest trusts
Get-DomainTrust
Get-ForestTrust

# Get information for the DA group
Get-DomainGroup "Domain Admins"

# Find members of the DA group
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername

# Find interesting shares in the domain, ignore default shares, and check access
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess

# Get OUs for current domain
Get-DomainOU -FullData

# Get computers in an OU
# %{} is a looping statement
Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname

# Get GPOs applied to a specific OU
Get-DomainOU *WS* | select gplink
Get-DomainGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"

# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName, GroupName, GroupMemberOf, GroupMembers

# Get the computers where users are part of a local group through a GPO restricted group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

# Find principals that can create new GPOs in the domain
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=targetdomain,DC=com" -ResolveGUIDs | ?{ $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier

# Find principals that can link GPOs to OUs
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier

# Get incoming ACL for a specific object
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights

# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

# Get interesting outgoing ACLs for a specific user or group
# ?{} is a filter statement
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights
```

<br>
{% endtab %}

{% tab title="UNIX" %}
[Pywerview](https://github.com/the-useless-one/pywerview): rewrite of PowerView's functionalities in Python, using the [impacket](https://github.com/SecureAuthCorp/impacket) library.

```
$ pywerview.py --help
usage: pywerview.py [-h]
                    {get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter}
                    ...

Rewriting of some PowerView's functionalities in Python

optional arguments:
  -h, --help            show this help message and exit

Subcommands:
  Available subcommands

  {get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter}
    get-adobject        Takes a domain SID, samAccountName or name, and return the associated object
    get-adserviceaccount
                        Returns a list of all the gMSA of the specified domain. To retrieve passwords,
                        you need a privileged account and a TLS connection to the LDAP server (use the
                        --tls switch).
    get-objectacl       Takes a domain SID, samAccountName or name, and return the ACL of the
                        associated object
    get-netuser         Queries information about a domain user
    get-netgroup        Get a list of all current domain groups, or a list of groups a domain user is
                        member of
    get-netcomputer     Queries informations about domain computers
    get-netdomaincontroller
                        Get a list of domain controllers for the given domain
    get-netfileserver   Return a list of file servers, extracted from the domain users' homeDirectory,
                        scriptPath, and profilePath fields
    get-dfsshare        Return a list of all fault tolerant distributed file systems for a given domain
    get-netou           Get a list of all current OUs in the domain
    get-netsite         Get a list of all current sites in the domain
    get-netsubnet       Get a list of all current subnets in the domain
    get-netdomaintrust  Returns a list of all the trusts of the specified domain
    get-netgpo          Get a list of all current GPOs in the domain
    get-netpso          Get a list of all current PSOs in the domain
    get-domainpolicy    Returns the default domain or DC policy for the queried domain or DC
    get-gpttmpl         Helper to parse a GptTmpl.inf policy file path into a custom object
    get-netgpogroup     Parses all GPOs in the domain that set "Restricted Group" or "Groups.xml"
    find-gpocomputeradmin
                        Takes a computer (or OU) and determine who has administrative access to it via
                        GPO
    find-gpolocation    Takes a username or a group name and determine the computers it has
                        administrative access to via GPO
    get-netgroupmember  Return a list of members of a domain group
    get-netsession      Queries a host to return a list of active sessions on the host (you can use
                        local credentials instead of domain credentials)
    get-localdisks      Queries a host to return a list of active disks on the host (you can use local
                        credentials instead of domain credentials)
    get-netdomain       Queries a host for available domains
    get-netshare        Queries a host to return a list of available shares on the host (you can use
                        local credentials instead of domain credentials)
    get-netloggedon     This function will execute the NetWkstaUserEnum RPC call to query a given host
                        for actively logged on users
    get-netlocalgroup   Gets a list of members of a local group on a machine, or returns every local
                        group. You can use local credentials instead of domain credentials, however,
                        domain credentials are needed to resolve domain SIDs.
    invoke-checklocaladminaccess
                        Checks if the given user has local admin access on the given host
    get-netprocess      This function will execute the 'Select * from Win32_Process' WMI query to a
                        given host for a list of executed process
    get-userevent       This function will execute the 'SELECT * from Win32_NTLogEvent' WMI query to a
                        given host for a list of executed process
    invoke-userhunter   Finds which machines domain users are logged into
    invoke-processhunter
                        Searches machines for processes with specific name, or ran by specific users
    invoke-eventhunter  Searches machines for events with specific name, or ran by specific users
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://blog.hacktive.bebzounette.com/active-directory/untitled/enumeration/powerview.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.