PowerView is a PowerShell tool for the enumeration of Windows domains. The script can be downloaded from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1.

Before running, you need to bypass PowerShell's execution policy:

powershell -ep bypass
Copy

Load the script using

. .\PowerView.ps1
Copy

Normally, you'd be running these commands through some sort of shell, but for the sake of simplicity, I will show them all run locally.

Get-NetDomain
Copy

Get-NetDomainController
Copy

Get-DomainPolicy
Copy

You can also get information about a specific policy with the following syntax:

(Get-DomainPolicy)."policy name"
Copy

Get-NetUser
Copy

The output of this command is rather messy, but you can pull specific information with the following syntax:

Get-NetUser | select <property>
Copy

However, there is an even better way to do that.

Get a specific properties of all the users:

Get-DomainUser -Properties <property1>,<property2>,...
Copy

It is useful to always have the samaccountname as the first property selected, so that you can easily match properties with specific users.

Get-DomainComputer | select samaccountname, operatingsystem
Copy

Get-NetGroup | select samaccountname, admincount, description
Copy

Get-NetGPO | select <property1>,<property2>,...
Copy

https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview