impacket-getadusers

impacket-getadusers [-h] [-user USERNAME] [-all] [-dc-ip IP] [-dc-host HOSTNAME] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey KEY] target

impacket-getadusers queries Active Directory via LDAP to enumerate user accounts and their attributes. It retrieves information such as usernames, last logon times, password last set dates, and account status flags.
The tool is useful for reconnaissance during penetration tests to identify potential targets, find accounts with old passwords, or discover service accounts. Output includes the SAM account name, badPwdCount, and other relevant security attributes.

-all

Return all users in the domain

Query information for a specific user only

IP address of the domain controller

Hostname of the domain controller (used for Kerberos)

Use NTLM hashes for authentication instead of password

Don't ask for password (useful with -k or -hashes)

Use Kerberos authentication from ccache file

AES key to use for Kerberos authentication

Requires valid domain credentials. Output may be verbose; consider redirecting stderr to /dev/null for cleaner output. The -all flag is typically required to see results for more than just the authenticated user.

Part of the Impacket library developed by SecureAuth. The tool leverages LDAP queries against Active Directory, implementing Microsoft's directory service protocols in Python for cross-platform compatibility.

impacket-addcomputer(1), impacket-secretsdump(1), ldapsearch(1), net(1)