Active Directory runs the enterprise. For a red teamer, querying AD is usually where the real internal recon happens. You learn who has admin rights, where the sensitive servers live, and which accounts nobody’s watching.
BloodHound and PowerView get all the attention, but dsquery and dsget are Microsoft’s own tools. They pull the same data without dropping a PowerShell script that AMSI might flag.
The RSAT problem#
dsquery isn’t installed by default on Windows workstations. It’s part of the Remote Server Administration Tools (RSAT). Land on a typical user’s laptop via phishing and you’ll usually get “command not found.”
You’ll normally find it on:
- Domain controllers (always there).
- IT admin workstations (RSAT intentionally installed).
- Jump boxes and management servers.
- Exchange and SQL servers.
Practical dsquery commands#
With RSAT on the box (or your own dsquery.exe smuggled in), here’s the bread and butter.
Passwords in description fields#
Admins drop temporary passwords into the description field more often than they should.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(description=*pass*))" -attr samid descriptionStale accounts#
Accounts that haven’t logged in for months are good takeover candidates. Nobody’s going to notice them moving around.
:: Users inactive for more than 4 weeks
dsquery user -inactive 4High-value groups#
Who are the Domain Admins?
dsquery group -name "Domain Admins" | dsget group -membersThe pipe passes the DN (Distinguished Name) from query to get, which expands the member list.
Domain controllers#
Useful when you’re planning Zerologon or PetitPotam.
dsquery server -o rdnSPNs and delegation#
The queries above are inventory. These ones are attack prep.
Kerberoastable accounts#
If a user account has a Service Principal Name (SPN), you can request a Kerberos ticket and crack the hash offline.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" -attr samid servicePrincipalNameUnconstrained delegation#
Servers with unconstrained delegation cache the TGT of anyone who connects to them. If a Domain Admin touches one, you can impersonate them.
The magic number for TRUSTED_FOR_DELEGATION in userAccountControl is 524288.
dsquery * -filter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -attr samid ipv4AddressadminCount=1#
Users with adminCount=1 are (or recently were) members of a protected group like Domain Admins.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(adminCount=1))" -attr samidChaining dsquery and dsget#
dsquery finds the object. dsget pulls the attributes you actually want. Pipe them together.
User email addresses#
For phishing or password spraying.
dsquery user -name "*Smith*" | dsget user -emailComputer operating systems#
For finding the Windows 7 and 2008 boxes nobody patched.
dsquery computer -name "SRV*" | dsget computer -os -samidWhen dsquery isn’t there#
On a restricted machine without RSAT, use the [ADSISearcher] type accelerator in PowerShell. Same LDAP queries underneath, but it goes through .NET instead of a separate binary. It’s been on every Windows box since Windows 7.
Domain Admins equivalent:
$searcher = [adsisearcher]"(objectCategory=group)"
$searcher.Filter = "name=Domain Admins"
$result = $searcher.FindOne()
$result.GetDirectoryEntry().memberKerberoasting candidates:
([adsisearcher]"(&(objectCategory=user)(servicePrincipalName=*))").FindAll() | Select-Object -ExpandProperty PropertiesOPSEC notes#
AD enumeration is not silent.
- LDAP traffic.
dsquerygenerates standard LDAP over TCP 389. A workstation pulling back large search responses sticks out if anyone’s watching. - Microsoft Defender for Identity. MDI (formerly ATA) has a specific alert for “Reconnaissance using Directory Services.” Bulk queries from a non-admin workstation will trip it.
- Honeytokens. A decent blue team plants fake accounts like
da_admin. Query for*admin*and you might touch one. - Event logs. Bulk querying generates generic LDAP events. Precise “who queried what” logging via Event ID 4662 exists, but it’s only useful if SACLs are configured on the objects, and they usually aren’t.
Closing#
The tool barely matters. dsquery, PowerView, ADSI, BloodHound — they all build the same LDAP filter under the hood. Learn the filter syntax and you can run recon with whatever happens to be on the box.
