/ _ \ \_\(_)/_/ _//"\\_ more on JOHLEM.net / \ 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 ============================= Active Directory Investigation & Troubleshooting Cheat Sheet =========================== Filename: ad_investigation_cheatsheet.txt Command | Description -------------------------------------------------|------------------------------------------------------------------------------------- Get-ADUser -Identity | Retrieve details of a specific user in AD by their username. Get-ADUser -Filter * -Property * | List all users in AD with all their properties. Get-ADUser -Filter 'Name -like "*John*"' | Search for users with names like "John" in AD. Get-ADGroup -Identity | Retrieve details of a specific AD group by its name. Get-ADGroupMember -Identity | List all members of a specific AD group. Get-ADComputer -Identity | Retrieve details of a specific computer in AD. Get-ADOrganizationalUnit -Filter * | List all Organizational Units (OUs) in AD. Get-ADUser -Filter * -SearchBase "OU=Sales,DC=domain,DC=com" | List all users within a specific OU. Get-ADUser -Identity -Properties lastlogondate | Get the last logon date of a specific user. Get-ADAccountStatus | Retrieve account status information such as locked, disabled, etc. Search-ADAccount -LockedOut | Find all locked-out accounts in AD. Search-ADAccount -AccountDisabled | Find all disabled accounts in AD. Unlock-ADAccount -Identity | Unlock a user account. Enable-ADAccount -Identity | Enable a disabled user account. Disable-ADAccount -Identity | Disable a user account. Set-ADUser -Identity -PasswordNeverExpires $true | Set a user's password to never expire. Get-ADReplicationPartnerMetadata | Check the replication status between AD partners. Get-ADDomainController | Retrieve a list of all domain controllers in the AD forest. Repadmin /replsummary | Get a summary of AD replication status. Repadmin /showrepl | Display the replication status of a specific domain controller. Repadmin /syncall | Force synchronization between all domain controllers. Get-ADUser -Identity -Properties memberof | List all groups a user is a member of. Get-ADGroup -Identity "" -Properties memberof | List all groups a specific group is nested in. Test-ComputerSecureChannel | Test the secure channel between the local computer and the domain. Test-ADServiceAccount -Identity | Test if a managed service account (MSA) is properly configured. New-ADUser -Name "John Doe" -SamAccountName "jdoe" | Create a new user in AD with basic attributes. Remove-ADUser -Identity | Delete a user from AD. Add-ADGroupMember -Identity "" -Members "" | Add a user to a specific AD group. Remove-ADGroupMember -Identity "" -Members "" | Remove a user from a specific AD group. Get-ADDomain | Retrieve details about the current AD domain. Get-ADForest | Retrieve details about the current AD forest. Get-ADGroupPolicy -Identity "" | Retrieve details about a specific Group Policy Object (GPO). Backup-GPO -Name "" -Path "" | Backup a specific GPO to a designated path. Restore-GPO -Name "" -Path "" | Restore a specific GPO from a backup. Invoke-GPUpdate -Computer | Force Group Policy update on a specific computer. Get-GPResultantSetOfPolicy -ReportType Html -Path "" | Generate an HTML report of the resultant set of policies for a user/computer. Get-ADUserResultantPasswordPolicy | Get the resultant password policy for a specific user. Get-ADFineGrainedPasswordPolicy | Retrieve the fine-grained password policies defined in the domain. Set-ADUser -Identity -HomeDirectory "\server\share" -HomeDrive "H:" | Set home directory for a specific user. Get-ADUser -Identity -Properties whenCreated | Find out when a user account was created. ============================================================================================================