Search LDAP for misconfigurations

This snippet enumerates LDAP for the following

1. Users with Constrained Delegation set

2. All universal groups in the domain

3. Users with Kerberos pre-authentication set

4. Find all kerberoastable users in the forest

5. Find all "privileged" users in the domain

# import PowerView
Import-Module C:\tools\PowerView.ps1

# find all users that have some type of constrained delegation set
([adsisearcher]'(msds-allowedtodelegateto=*)').FindAll() | %{$_.Properties.samaccountname}

# find all universal groups in domain.com
$Searcher = [ADSISearcher][ADSI]'LDAP://DC=domain,DC=com'
$Searcher.Filter = '(groupType:1.2.840.113556.1.4.803:=8)'
$Searcher.FindAll() | %{$_.Properties.distinguishedname}

# find all users with Kerberos pre-authentication not enabled
([adsisearcher]'(userAccountControl:1.2.840.113556.1.4.803:=4194304)').FindAll() | %{"$($_.Properties.name),$($_.Properties.description)"}

# find all kerberoast-able accounts in the forest (users with "serviceprincipalname set) and return SPN and DN
$Searcher = [ADSISearcher][ADSI]"GC://domain.com"
$Searcher.Filter = '(&(sAMAccountType=805306368)(servicePrincipalName=*))'
$Searcher.PropertiesToLoad.AddRange(('distinguishedname', 'serviceprincipalname'))
$Searcher.FindAll() | %{"$($_.Properties.distinguishedname)`t`t$($_.Properties.serviceprincipalname)"}

# find the DN of all "privileged" users in the forest
([adsisearcher]'(admincount=1)').FindAll() | %{$_.Properties.distinguishedname}