# Search LDAP for misconfigurations

This snippet enumerates LDAP for the following

1. Users with [Constrained Delegation](https://otter.gitbook.io/red-teaming/notes/kerberos/constrained-delegation) set
2. All universal groups in the domain
3. Users with Kerberos pre-authentication set
4. Find all [kerberoastable](https://otter.gitbook.io/red-teaming/notes/kerberos/kerberoasting) users in the forest
5. Find all "privileged" users in the domain

```powershell
# import PowerView
Import-Module C:\tools\PowerView.ps1

# find all users that have some type of constrained delegation set
([adsisearcher]'(msds-allowedtodelegateto=*)').FindAll() | %{$_.Properties.samaccountname}

# find all universal groups in domain.com
$Searcher = [ADSISearcher][ADSI]'LDAP://DC=domain,DC=com'
$Searcher.Filter = '(groupType:1.2.840.113556.1.4.803:=8)'
$Searcher.FindAll() | %{$_.Properties.distinguishedname}

# find all users with Kerberos pre-authentication not enabled
([adsisearcher]'(userAccountControl:1.2.840.113556.1.4.803:=4194304)').FindAll() | %{"$($_.Properties.name),$($_.Properties.description)"}

# find all kerberoast-able accounts in the forest (users with "serviceprincipalname set) and return SPN and DN
$Searcher = [ADSISearcher][ADSI]"GC://domain.com"
$Searcher.Filter = '(&(sAMAccountType=805306368)(servicePrincipalName=*))'
$Searcher.PropertiesToLoad.AddRange(('distinguishedname', 'serviceprincipalname'))
$Searcher.FindAll() | %{"$($_.Properties.distinguishedname)`t`t$($_.Properties.serviceprincipalname)"}

# find the DN of all "privileged" users in the forest
([adsisearcher]'(admincount=1)').FindAll() | %{$_.Properties.distinguishedname}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/powershell/powershell-snippets/search-ldap-for-misconfigurations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.