LinuxCommandLibrary

impacket-getadusers

Enumerate user information from Active Directory

TLDR

View documentation for the original command

$ tldr GetADUsers.py
copy

SYNOPSIS

impacket-getadusers [-h] [-all] [-dc-ip IPADDR] [-hashes LMHASH:NTHASH] 'domain/username:password@target'

PARAMETERS

-h, --help
    Show help message and exit

-all
    Retrieve and display all user properties

-dc-ip IPADDR
    IP address of the domain controller. If omitted, DNS resolution is used

-hashes LMHASH:NTHASH
    NTLM hashes for authentication instead of password

DESCRIPTION

impacket-getadusers is a tool from the Impacket suite, a collection of Python libraries and scripts for interacting with network protocols, particularly useful in penetration testing and red teaming. This command connects to a Windows Domain Controller (DC) over SMB, authenticates with provided credentials, and performs an LDAP query to enumerate basic user information from Active Directory (AD).

It retrieves details such as usernames, distinguished names, emails, and account statuses. The -all option enables dumping of all available properties, providing richer reconnaissance data like last logon times, password policies, and service principal names (SPNs). Output is formatted in a tabular or CSV-like structure for easy parsing.

Primarily used during AD enumeration phases to map user accounts, identify privileged users, or find weak passwords. It requires valid domain credentials and network access to the DC. While efficient, it generates LDAP traffic that may trigger security monitoring.

CAVEATS

Requires valid domain credentials with LDAP query rights; generates detectable LDAP/SMB traffic; limited to basic AD attributes unless -all used; target must be reachable Domain Controller.

EXAMPLE USAGE

Basic: impacket-getadusers 'domain.com/user:pass@dc01.domain.com'
All properties: impacket-getadusers domain.com/user:pass@10.0.0.1 -all -dc-ip 10.0.0.1
With hashes: impacket-getadusers domain.com/user@dc -hashes :31d6cfe0d16ae931b73c59d7e0c089c0

OUTPUT SAMPLE

DistinguishedName: CN=User,CN=Users,DC=domain,DC=com
samAccountName: user
mail: user@domain.com
pwdLastSet: 2023-01-01 12:00:00

HISTORY

Part of Impacket suite, originally developed by SecureAuth Corporation around 2012-2015 for pentesting. Enhanced over years by contributors like Fox-IT and byt3bl33d3r; integrated into distributions like Kali Linux circa 2018.

SEE ALSO

impacket-GetNPUsers(1), impacket-GetUserSPNs(1), ldapsearch(1)

Copied to clipboard