PowerView, developed by Will Schroeder (@harmj0y), is a PowerShell tool to gain network situational awareness on Windows domains. It is now a part of PowerSploit suite. You can download PowerView from here.

As a pentester, you can leverage PowerView to find out information about domain users. Following commands will help you with that (watch the video for demonstration):

• Get-NetUser

  • Get a list of all users in current domain

• Get-NetUser –Domain ycsccorp.local

  • Get a list of all users in the specified domain

• Invoke-UserHunter

  • Finds machines on the local domain where specified users are logged into. By default checks for domain admin accounts

• Find-LocalAdminAccess

  • Finds machines on the domain that the current user has local admin access to

• Invoke-EnumerateLocalAdmin

  • Enumerates members of the local Administrators groups across all machines in the domain

• Invoke-CheckLocalAdminAccess

  • Check if the current user context has local administrator access to a specified host

Watch the video demonstration