ADFind
ADFind is a powerful command-line LDAP enumeration tool for querying Active Directory. Developed by Joeware, this standalone executable enables penetration testers and system administrators to perform advanced domain reconnaissance without requiring special privileges, making it essential for Active Directory security assessments.
Installation
Section intitulée « Installation »ADFind is a standalone executable with no installation required. Download the latest version from joeware.net, extract the ZIP file, and place adfind.exe in your working directory or system PATH. No dependencies, registry entries, or administrative privileges are needed to run queries against Active Directory.
# Download and extract
# adfind.exe can be run directly from any location
# Basic usage - run from command prompt
adfind.exe -h DC01.contoso.local -default -f "objectcategory=person"Quick Start
Section intitulée « Quick Start »The most basic ADFind queries require only the hostname or domain context:
# Query current domain for all user objects
AdFind.exe -default -f "objectcategory=person"
# Query specific domain controller
AdFind.exe -h 192.168.1.10 -f "objectcategory=person"
# Query global catalog (port 3268)
AdFind.exe -gc -f "objectcategory=person"
# Count objects without listing details
AdFind.exe -default -f "objectcategory=person" -cConnection Options
Section intitulée « Connection Options »Control which domain controller or global catalog ADFind targets:
| Option | Purpose |
|---|---|
-h host | Specify domain controller hostname or IP address |
-p port | LDAP port (default 389, 636 for LDAPS, 3268 for GC) |
-b baseDN | Base Distinguished Name to search from (e.g., dc=contoso,dc=local) |
-default | Use current domain from machine context |
-gc | Query global catalog (port 3268, searches all domains) |
-sp port | Specify custom port for GC queries |
# Query specific domain controller on custom port
AdFind.exe -h DC01.contoso.local -p 389 -f "objectcategory=person"
# Query global catalog across all domains
AdFind.exe -gc -f "objectcategory=person"
# Query from specific base DN
AdFind.exe -h DC01 -b "ou=Engineering,dc=contoso,dc=local" -f "objectcategory=person"
# Use current domain automatically
AdFind.exe -default -f "objectcategory=person"Authentication
Section intitulée « Authentication »Specify credentials for LDAP queries or authenticate anonymously:
| Option | Purpose |
|---|---|
-u user | Username for authentication (domain\user format) |
-up password | Password for authenticated user |
-sdna | Search with anonymous credentials |
-srv _ldap._tcp.dc._msdcs.contoso.local | Query via SRV record |
# Authenticated query with domain\username
AdFind.exe -h DC01 -u "CONTOSO\jdoe" -up "P@ssw0rd!" -f "objectcategory=person"
# Anonymous query (may be restricted)
AdFind.exe -sdna -h DC01 -f "objectcategory=person"
# Query using current user context
AdFind.exe -default -f "objectcategory=person"
# Query with just domain and password
AdFind.exe -h DC01 -u "jdoe" -up "P@ssw0rd!" -f "objectcategory=person"Search Filters
Section intitulée « Search Filters »ADFind uses LDAP filter syntax to query specific object types and conditions:
| Filter | Purpose |
|---|---|
objectcategory=person | All user objects |
objectcategory=computer | All computer objects |
objectcategory=group | All group objects |
objectcategory=organizationalUnit | All OUs |
(!(userAccountControl:1.2.840.113556.1.4.803:=2)) | Enabled accounts only |
userAccountControl:1.2.840.113556.1.4.803:=2 | Disabled accounts |
lockoutTime>=1 | Locked accounts |
pwdlastset=0 | Password never set/changed |
(userAccountControl:1.2.840.113556.1.4.803:=4194304) | AS-REP roastable (UF_DONT_REQUIRE_PREAUTH) |
servicePrincipalName=* | Accounts with SPNs (Kerberoasting targets) |
cn=*admin* | Objects with “admin” in common name |
# All user objects with default naming context
AdFind.exe -default -f "objectcategory=person"
# Enabled users only
AdFind.exe -default -f "(&(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
# Disabled accounts
AdFind.exe -default -f "(&(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))"
# Locked accounts
AdFind.exe -default -f "(&(objectcategory=person)(lockoutTime>=1))"
# Accounts with SPNs for Kerberoasting
AdFind.exe -default -f "servicePrincipalName=*" -dn
# AS-REP roastable accounts
AdFind.exe -default -f "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"
# Groups with "admin" in name
AdFind.exe -default -f "(&(objectcategory=group)(cn=*admin*))"Attribute Selection
Section intitulée « Attribute Selection »Specify which attributes to return in query results:
| Option | Purpose |
|---|---|
samaccountname | Logon name (pre-Windows 2000) |
cn | Common name |
mail | Email address |
description | User/object description |
memberof | Group memberships |
lastlogon | Last successful logon |
pwdlastset | Last password change timestamp |
useraccountcontrol | Account control flags |
serviceprincipalname | SPN for Kerberoasting |
objectsid | Security identifier |
distinguishedname | Full LDAP DN |
-allproperties | Return all LDAP attributes |
-dn | Return Distinguished Name only |
# Return specific attributes
AdFind.exe -default -f "objectcategory=person" samaccountname description lastlogon
# All attributes for an object
AdFind.exe -default -f "objectcategory=person" -allproperties
# Distinguished names and SAM account names
AdFind.exe -default -f "objectcategory=person" -dn samaccountname
# User objects with email and membership info
AdFind.exe -default -f "objectcategory=person" samaccountname mail memberof
# Computer objects with last logon
AdFind.exe -default -f "objectcategory=computer" samaccountname lastlogon
# SPNs and account names for Kerberoasting targets
AdFind.exe -default -f "servicePrincipalName=*" samaccountname serviceprincipalnameDomain Enumeration
Section intitulée « Domain Enumeration »Enumerate domain-wide objects and infrastructure:
# All users in domain
AdFind.exe -default -f "objectcategory=person" samaccountname
# All computers in domain
AdFind.exe -default -f "objectcategory=computer" samaccountname
# All groups in domain
AdFind.exe -default -f "objectcategory=group" cn
# All organizational units
AdFind.exe -default -f "objectcategory=organizationalunit" cn
# Domain controllers
AdFind.exe -default -f "objectcategory=computer" samaccountname -dn
# Trust relationships
AdFind.exe -default -f "objectclass=trustedDomain" cn trustAttributes trustDirection
# Subnets and sites
AdFind.exe -default -f "objectcategory=subnet" cn
# Sites
AdFind.exe -default -f "objectcategory=site" cn
# Group Policy Objects
AdFind.exe -default -f "objectclass=groupPolicyContainer" cn displaynameUser Enumeration
Section intitulée « User Enumeration »Target specific user accounts and attributes:
# All users with descriptions
AdFind.exe -default -f "objectcategory=person" samaccountname description
# Administrative users (Domain Admins members)
AdFind.exe -default -f "(&(objectcategory=person)(memberof=cn=Domain Admins,cn=Users,dc=contoso,dc=local))" samaccountname
# Disabled user accounts
AdFind.exe -default -f "(&(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))" samaccountname
# Locked user accounts
AdFind.exe -default -f "(&(objectcategory=person)(lockoutTime>=1))" samaccountname lastlogon
# Password never expires
AdFind.exe -default -f "(&(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" samaccountname
# Accounts with SPNs (Kerberoasting targets)
AdFind.exe -default -f "(&(objectcategory=person)(servicePrincipalName=*))" samaccountname serviceprincipalname
# AS-REP roastable accounts
AdFind.exe -default -f "(&(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" samaccountname
# Password not required attribute
AdFind.exe -default -f "(&(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=32))" samaccountname
# Users with mail attribute
AdFind.exe -default -f "(&(objectcategory=person)(mail=*))" samaccountname mailGroup Enumeration
Section intitulée « Group Enumeration »Enumerate group memberships and group objects:
# All groups in domain
AdFind.exe -default -f "objectcategory=group" cn
# Domain Admins group members
AdFind.exe -default -f "cn=Domain Admins" -dn samaccountname member
# Enterprise Admins group members
AdFind.exe -gc -f "cn=Enterprise Admins" -dn samaccountname member
# Nested group membership (recursive)
AdFind.exe -default -f "cn=Domain Admins" member -recmute
# All members of a specific group
AdFind.exe -default -f "(&(memberof=cn=Domain Admins,cn=Users,dc=contoso,dc=local))" samaccountname
# Privileged groups
AdFind.exe -default -f "|(cn=Domain Admins)(cn=Enterprise Admins)(cn=Schema Admins)" cn member
# Groups with "admin" in name
AdFind.exe -default -f "(&(objectcategory=group)(cn=*admin*))" cn
# Empty groups
AdFind.exe -default -f "(&(objectcategory=group)(!(member=*)))" cn
# Groups with specific member type
AdFind.exe -default -f "objectcategory=group" cn member objectclassComputer Enumeration
Section intitulée « Computer Enumeration »Enumerate computer objects and their configurations:
# All computers in domain
AdFind.exe -default -f "objectcategory=computer" samaccountname
# All servers (operating system filter)
AdFind.exe -default -f "(&(objectcategory=computer)(operatingsystem=*server*))" samaccountname operatingsystem
# All workstations
AdFind.exe -default -f "(&(objectcategory=computer)(operatingsystem=Windows 10*))" samaccountname
# Computers by operating system
AdFind.exe -default -f "objectcategory=computer" samaccountname operatingsystem
# Unconstrained delegation computers
AdFind.exe -default -f "(&(objectcategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" samaccountname
# Constrained delegation computers
AdFind.exe -default -f "(&(objectcategory=computer)(msds-allowedtodelegateto=*))" samaccountname msds-allowedtodelegateto
# Computers with service accounts
AdFind.exe -default -f "(&(objectcategory=computer)(serviceprincipalname=*))" samaccountname
# Recently logon computers
AdFind.exe -default -f "objectcategory=computer" samaccountname lastlogon
# Computers in specific OU
AdFind.exe -h DC01 -b "ou=Servers,dc=contoso,dc=local" -f "objectcategory=computer" samaccountnameOutput Options
Section intitulée « Output Options »Control output format and redirection:
| Option | Purpose |
|---|---|
-csv | Output as comma-separated values |
-tdcs | Output as tab-delimited with column separator |
-c | Count results only, no details |
> filename | Redirect output to file |
| | Pipe to other commands |
# Export to CSV file
AdFind.exe -default -f "objectcategory=person" samaccountname mail > users.csv
# Tab-delimited output
AdFind.exe -default -f "objectcategory=person" -tdcs samaccountname description lastlogon
# Count users
AdFind.exe -default -f "objectcategory=person" -c
# Count computers
AdFind.exe -default -f "objectcategory=computer" -c
# Export to CSV with specific attributes
AdFind.exe -default -f "objectcategory=person" -csv samaccountname mail memberof > users_export.csv
# Large export (redirect to file)
AdFind.exe -default -f "objectcategory=computer" samaccountname operatingsystem > computers.txt
# Pipe to grep equivalent (findstr in Windows)
AdFind.exe -default -f "objectcategory=person" samaccountname | findstr adminAdvanced Queries
Section intitulée « Advanced Queries »Construct complex LDAP filters for targeted enumeration:
# Combine multiple conditions (AND)
AdFind.exe -default -f "(&(objectcategory=person)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
# Multiple conditions (OR)
AdFind.exe -default -f "(|(cn=*admin*)(cn=*service*))"
# Negation (NOT)
AdFind.exe -default -f "(&(objectcategory=person)(!(cn=Administrator)))"
# Wildcard searches
AdFind.exe -default -f "cn=*test*" samaccountname
# ObjectSID searches
AdFind.exe -default -f "objectSID=S-1-5-21-*" samaccountname
# Custom LDAP attributes
AdFind.exe -default -f "(&(objectcategory=person)(title=*Engineer*))" samaccountname title
# Users with specific mail domain
AdFind.exe -default -f "(&(objectcategory=person)(mail=*@contoso.local))" samaccountname mail
# Last logon within timeframe (requires timestamp conversion)
AdFind.exe -default -f "objectcategory=person" samaccountname lastlogon
# Accounts without email
AdFind.exe -default -f "(&(objectcategory=person)(!(mail=*)))" samaccountname
# Service accounts (accounts with SPNs not computers)
AdFind.exe -default -f "(&(objectcategory=person)(servicePrincipalName=*))" samaccountname serviceprincipalnameTroubleshooting
Section intitulée « Troubleshooting »Common issues and resolution strategies:
| Issue | Solution |
|---|---|
| Connection refused | Verify DC hostname/IP, check firewall, ensure LDAP port 389 is open |
| No results | Verify filter syntax, check base DN, ensure search user has permissions |
| Timeout | Reduce result set with more specific filters, try alternate DC |
| Access denied | Use -u and -up for explicit credentials, verify account permissions |
| Special characters | Escape characters in filters or use quotation marks properly |
# Test connectivity to domain controller
ping DC01.contoso.local
# Query with verbose output
AdFind.exe -default -f "objectcategory=person" -dn
# Validate filter syntax (start simple)
AdFind.exe -default -f "objectcategory=person"
# Test authentication
AdFind.exe -h DC01 -u "CONTOSO\jdoe" -up "password" -f "objectcategory=person" -c
# Check current user context
whoami
# Verify LDAP connectivity on specific port
# Use netstat or other network tools to test connectivityBest Practices
Section intitulée « Best Practices »Effective and responsible ADFind usage:
- Authenticate when possible: Use
-uand-upto ensure proper logging and permission enforcement - Limit result sets: Use specific filters instead of querying entire domain; add conditions with AND operators
- Export carefully: Pipe sensitive data to files in restricted directories; avoid email or network shares
- Document queries: Keep records of enumeration activities for audit trails
- Request permissions: Obtain written authorization before conducting Active Directory enumeration
- Filter strategically: Combine multiple conditions to find specific security-relevant objects
- Use base DN: Restrict searches to specific OUs to reduce query load
- Verify results: Cross-reference findings with other AD tools like ADExplorer
- Consider timestamping: Convert LDAP timestamps (100-nanosecond intervals since 1601) for analysis
- Avoid excessive queries: Batch queries logically to minimize DC load
Related Tools
Section intitulée « Related Tools »- ldapsearch — Unix/Linux LDAP query tool with similar functionality
- ldapdomaindump — LDAP enumeration with structured output and domain parsing
- BloodHound — Graph-based Active Directory visualization and attack path analysis
- PowerView — PowerShell Active Directory enumeration framework
- ADExplorer — Sysinternals Active Directory browser for visual exploration
- Impacket — Python toolkit with ldapdomaindump and other AD utilities