List all users
To do this we select all the users ((objectClass=user)) and all the people ((objectClass=person)) of the LDAP:
(&(objectCategory=person)(objectClass=user)) List of all kerberoastables users
To do this we select all the users ((objectClass=user)) having a Service Principal Name (SPN) defined ((servicePrincipalName=*)) and we remove from our results:
- The user
krbtgt(which by definition has an SPN) with the filter(!(cn=krbtgt)). - Disabled users, with the filter
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Which gives us:
(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) List of all asrep-roastables users
To do this we select all the users ((objectClass=user)) that have "Do not require Kerberos preauthentication" flag set in their userAccountControl:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0)) Find all Users that are almost Locked-Out
(&(objectCategory=user)(badPwdCount>=4)) Find all Users with *pass* or *pwd* in their description
(&(objectCategory=user)(|(description=*pass*)(description=*pwd*))) List of all users protected by adminCount
The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.
(&(objectCategory=user)(adminCount=1)) Groups
List all groups
(objectCategory=group) List of all groups protected by adminCount
The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.
(&(objectCategory=group)(adminCount=1)) Services
Listing all servicePrincipalName
(servicePrincipalName=*) Listing specific services from their servicePrincipalName
To list specific services, we can use the beginning of the servicePrincipalName attribute:
(servicePrincipalName=http/*) Here is a few examples of servicePrincipalName:
ldap/DC01.LAB.localkadmin/changepw(of kerberos serviceCN=krbtgt,CN=Users,DC=LAB,DC=local)MSSQLSvc/DC01.LAB.local
Computers
Listing all computers with a given Operating System
For example to list all the machines under Windows XP:
(&(objectCategory=Computer)(operatingSystem=Windows XP*)) With operatingSystem in:
Windows Server 2022*Windows Server 2019*Windows Server 2016*Windows Server 2008*Windows 11*Windows 10*Windows 8*Windows 7*Windows Vista*Windows XP*Windows Server 2003*Windows 2000*
Find all Workstations
(sAMAccountType=805306369) Find all computers having a KeyCredentialLink
This is useful to check for shadow credentials on machine accounts:
(&(objectClass=computer)(msDS-KeyCredentialLink=*)) Find all computers having an Obsolete OS
(&(objectCategory=Computer)(|(operatingSystem=Windows 2000*)(operatingSystem=Windows Vista*)(operatingSystem=W
