Find-LocalAdminAccess -VerboseThis function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.
This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked. See Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1
1. Find-DomainUserLocation -Verbose
2. Find-DomainUserLocation -UserGroupIdentity "RDPUsers"This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-DomainGroupMember, gets a list of computers (Get-DomainComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.
Note that Server 2019 onwards, local administrator privileges are required to list sessions.
Find-DomainUserLocation -CheckAccessFind-DomainUserLocation -StealthInvoke-SessionHunter -FailSafeAbove command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -NoPortScan -Targets C:\Path\To\servers.txtAn over-reliance on automated tools is not the wisest choice.
We can find domain users from our current foothold too.
net user /domainWe can fetch its details too
net user "domain.user" /domain