Traditional Approach

Using net.exe

Open CMD or powershell, enter commands:-

• net user

Enumerate all users in the local domain

• net user /domain

Adding the /domain flag will enumerate all users in the entire domain:

• net user <username> /domain

Detailed query information about individual users.

• net group /domain

Enumerate all groups in the domain

Output will give custom groups like Secret_Group, Nested_Group and Another_Nested_Group. In Active Directory, a group (and subsequently all the included members) can be added as member to another group. This is known as a nested group.

Unfortunately, the net.exe command line tool cannot list nested groups and only shows the
direct user members.

• whoami /groups