# import PowerViewImport-Module C:\tools\PowerView.ps1# find all users that have some type of constrained delegation set([adsisearcher]'(msds-allowedtodelegateto=*)').FindAll() |%{$_.Properties.samaccountname}# find all universal groups in domain.com$Searcher = [ADSISearcher][ADSI]'LDAP://DC=domain,DC=com'$Searcher.Filter ='(groupType:1.2.840.113556.1.4.803:=8)'$Searcher.FindAll() |%{$_.Properties.distinguishedname}# find all users with Kerberos pre-authentication not enabled([adsisearcher]'(userAccountControl:1.2.840.113556.1.4.803:=4194304)').FindAll() | %{"$($_.Properties.name),$($_.Properties.description)"}
# find all kerberoast-able accounts in the forest (users with "serviceprincipalname set) and return SPN and DN$Searcher = [ADSISearcher][ADSI]"GC://domain.com"$Searcher.Filter ='(&(sAMAccountType=805306368)(servicePrincipalName=*))'$Searcher.PropertiesToLoad.AddRange(('distinguishedname','serviceprincipalname'))$Searcher.FindAll() |%{"$($_.Properties.distinguishedname)`t`t$($_.Properties.serviceprincipalname)"}# find the DN of all "privileged" users in the forest([adsisearcher]'(admincount=1)').FindAll() |%{$_.Properties.distinguishedname}