# Active Directory Enumeration

* Consists of
    * Domain Controller 
    * Organizational Units
    * AD Domains
    * AD Forest

* Administrative accounts are
    * Domain Admin
    * Enterprise Admin
    * Schema Admin
    * Server Operator
    * Account Operator

## Usage

* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via 
```sh
ls -d <Domain>
```