Skip to content

Instantly share code, notes, and snippets.

@joshfinley
Last active May 15, 2025 00:17
Show Gist options
  • Save joshfinley/cb826db88379dd0ca1ab2e3edcbf0f8e to your computer and use it in GitHub Desktop.
Save joshfinley/cb826db88379dd0ca1ab2e3edcbf0f8e to your computer and use it in GitHub Desktop.

LDAP/Active Directory Query Cheat Sheet

Table of Contents

LDAP Query Basics

LDAP Filter Syntax

  • Operators come first: AND (&), OR (|), NOT (!)
  • All clauses are wrapped in parentheses
  • Example: (&(A)(B)) for "A AND B"
  • Equality: = (e.g., (objectClass=user))
  • Extended matching rules: := (used with OIDs)

Basic Structure

(attribute=value)              # Basic equality
(&(attribute1=value1)(attribute2=value2))  # AND
(|(attribute1=value1)(attribute2=value2))  # OR
(!(attribute=value))           # NOT
(attribute:OID:=value)         # Extended matching rule

PowerShell AD Module Commands

Basic User and Group Queries

# Get all users
Get-ADUser -Filter *

# Get specific user
Get-ADUser -Identity "username"

# Get group members
Get-ADGroupMember -Identity "GroupName"

# Find user in specific group
Get-ADGroupMember -Identity "DNSAdmins"

# Get all properties of a user
Get-ADUser -Identity "username" -Properties *

# Get group information
Get-ADGroup -Identity "GroupName"

Using LDAP Filters in PowerShell

# Find disabled users
Get-ADObject -LDAPFilter '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))'

# Find users in specific OU
Get-ADObject -SearchBase "OU=IT,OU=Employees,DC=DOMAIN,DC=LOCAL" -SearchScope SubTree -Filter "(objectCategory=Person)"

# Find users with specific attribute
Get-ADObject -LDAPFilter "(&(objectCategory=Person)(description=*))"

# Count objects
(Get-ADObject -LDAPFilter '(objectClass=user)').Count

# Get specific properties
Get-ADObject -LDAPFilter '(objectClass=user)' -Properties Name,Description | Select Name,Description

Common LDAP Filters

User Queries

(objectClass=user)             # All users
(objectCategory=Person)        # All people (slightly different from users)
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))   # Disabled users
(&(objectClass=user)(servicePrincipalName=*))   # Users with SPNs
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))   # DONT_REQ_PREAUTH (ASREProastable)
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=524288))   # TRUSTED_FOR_DELEGATION
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=128))  # ENCRYPTED_TEXT_PWD_ALLOWED
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))   # PASSWD_NOTREQD
(&(objectClass=user)(adminCount=1))   # Protected users (admins)

Computer Queries

(objectCategory=Computer)      # All computers
(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))   # Domain controllers
(&(objectCategory=Computer)(name=*WS*))   # Computers with name containing "WS"

Group Queries

(objectCategory=Group)         # All groups
(&(objectCategory=Group)(adminCount=1))   # Admin groups

Nested Membership Queries

# Find groups a user is a member of (including nested groups)
(member:1.2.840.113556.1.4.1941:=CN=Username,OU=Users,DC=DOMAIN,DC=LOCAL)

# Find users who are members of a group (direct)
(memberOf=CN=GroupName,CN=Users,DC=DOMAIN,DC=LOCAL)

# Find all objects that are members of a group (including nested)
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupName,CN=Users,DC=DOMAIN,DC=LOCAL)

UserAccountControl Flags

Common UAC Flag Values

SCRIPT                          = 1
ACCOUNTDISABLE                  = 2
HOMEDIR_REQUIRED                = 8
LOCKOUT                         = 16
PASSWD_NOTREQD                  = 32
PASSWD_CANT_CHANGE              = 64
ENCRYPTED_TEXT_PWD_ALLOWED      = 128
NORMAL_ACCOUNT                  = 512
INTERDOMAIN_TRUST_ACCOUNT       = 2048
WORKSTATION_TRUST_ACCOUNT       = 4096
SERVER_TRUST_ACCOUNT            = 8192
DONT_EXPIRE_PASSWORD            = 65536
MNS_LOGON_ACCOUNT               = 131072
SMARTCARD_REQUIRED              = 262144
TRUSTED_FOR_DELEGATION          = 524288
NOT_DELEGATED                   = 1048576
USE_DES_KEY_ONLY                = 2097152
DONT_REQ_PREAUTH                = 4194304
PASSWORD_EXPIRED                = 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION  = 16777216
PARTIAL_SECRETS_ACCOUNT         = 67108864

Common Combined Values

NORMAL_ACCOUNT + DONT_EXPIRE_PASSWORD = 65536 + 512 = 66048
NORMAL_ACCOUNT + ENCRYPTED_TEXT_PWD_ALLOWED = 512 + 128 = 640
NORMAL_ACCOUNT + SMARTCARD_REQUIRED = 512 + 262144 = 262656

UAC LDAP Filter Examples

# Find accounts requiring smartcard
(&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=262144))

# Find accounts with non-expiring passwords
(&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536))

# Find accounts with reversible encryption
(&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=128))

LDAP Search Scopes

# Search Scopes:
# Base = 0 (just the OU itself, no members)
# OneLevel = 1 (direct children only)
# SubTree = 2 (all descendants)

# Search only the specified OU
Get-ADObject -SearchBase "OU=IT,OU=Employees,DC=DOMAIN,DC=LOCAL" -SearchScope Base -Filter *

# Search direct children of the OU
Get-ADObject -SearchBase "OU=IT,OU=Employees,DC=DOMAIN,DC=LOCAL" -SearchScope OneLevel -Filter *

# Search the OU and all sub-OUs
Get-ADObject -SearchBase "OU=IT,OU=Employees,DC=DOMAIN,DC=LOCAL" -SearchScope SubTree -Filter *

# Count objects in an OU
(Get-ADObject -SearchBase "OU=IT,OU=Employees,DC=DOMAIN,DC=LOCAL" -SearchScope SubTree -Filter "(objectCategory=Person)").Count

Linux LDAP Tools

ldapsearch (OpenLDAP)

# Anonymous bind for public info
ldapsearch -x -H ldap://DOMAIN-CONTROLLER -b "DC=DOMAIN,DC=LOCAL" "(objectClass=domain)"

# Authenticated search
ldapsearch -x -H ldap://DOMAIN-CONTROLLER -b "DC=DOMAIN,DC=LOCAL" -D "CN=username,CN=Users,DC=DOMAIN,DC=LOCAL" -w 'password' "(objectClass=user)"

# Find domain functional level
ldapsearch -x -H ldap://DOMAIN-CONTROLLER -b "DC=DOMAIN,DC=LOCAL" "(objectClass=domain)" msDS-Behavior-Version

# Filter for specific attributes
ldapsearch -x -H ldap://DOMAIN-CONTROLLER -b "DC=DOMAIN,DC=LOCAL" -s base "(objectclass=*)" minPwdLength

# Find users with specific properties
ldapsearch -x -H ldap://DOMAIN-CONTROLLER -b "DC=DOMAIN,DC=LOCAL" -D "CN=username,CN=Users,DC=DOMAIN,DC=LOCAL" -w 'password' -s sub "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))" samaccountname

windapsearch

# Find all users
windapsearch --dc DOMAIN-CONTROLLER -d DOMAIN.LOCAL -u username -p password --users

# Find users with delegation
windapsearch --dc DOMAIN-CONTROLLER -d DOMAIN.LOCAL -u username -p password --delegation

Advanced Queries

Finding Protected Users with SPNs

# Users with SPNs who are also in Protected Users group
Get-ADObject -LDAPFilter "(&(objectClass=User)(servicePrincipalName=*)(memberOf=CN=Protected Users,CN=Users,DC=DOMAIN,DC=LOCAL))" -Properties *

Finding Domain Information

# Domain policy info (password policy)
Get-ADDefaultDomainPasswordPolicy

# Domain functional level
(Get-ADDomain).DomainMode

Administrative Accounts

# Find admin accounts
Get-ADObject -LDAPFilter "(&(objectCategory=person)(objectClass=user)(adminCount=1))"

# Find admin groups
Get-ADObject -LDAPFilter "(&(objectCategory=group)(adminCount=1))"

Performance Tips

LDAP Filters vs PowerShell Filtering

  • LDAP filters are processed on the server side and are much faster
  • PowerShell filtering (Where-Object) happens on the client side after receiving all data
# Slow approach (client-side filtering)
Get-ADUser -Filter * -Properties * | Where-Object servicePrincipalName -ne $null | Where-Object memberOf -Like "*Protected*"

# Fast approach (server-side filtering)
Get-ADObject -LDAPFilter "(&(objectClass=User)(servicePrincipalName=*)(memberOf=CN=Protected Users,CN=Users,DC=DOMAIN,DC=LOCAL))"

Limiting Properties

# Don't request all properties unless needed
Get-ADUser -Identity "username" -Properties Name,Description | Select-Object Name,Description

# Use specific LDAP filter for better performance
Get-ADObject -LDAPFilter "(&(objectCategory=Person)(description=*))" -Properties Name,Description

Performance Comparison Example

# Using Get-ADUser with Where-Object (slow)
Measure-Command { Get-ADUser -Filter * -Properties * | Where-Object servicePrincipalName -ne $null | Where-Object memberOf -Like "*Protected*" }
# Result: ~7 seconds

# Using LDAP filter directly (fast)
Measure-Command { Get-ADObject -LDAPFilter "(&(objectClass=User)(servicePrincipalName=*)(memberOf=CN=Protected Users,CN=Users,DC=DOMAIN,DC=LOCAL))" }
# Result: ~0.02 seconds

Unauthenticated Enumeration

Query RootDSE

ldapsearch -x -H ldap://dc.playground.htb -s base -b ""

Enumerate Users Using Wordists

./kerbrute userenum --domain playground.htb --dc 10.129.231.17 user-service-wordlist.txt -t 100
# try my wordlist: https://gist.github.com/joshfinley/9ef44f653a78aa10bdb6da6cb3ad57fa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment