To get users from a Particular group we can use :

Get-NetGroupMember 'Domain Admins' -Recurse

Query the Domain for all computer objects and then them for their logged in used :

Invoke-UserHunter -Stealth -ShowAll # Does this Stealthily

You can use it without -Stealth as well if you want but that's not a good idea if it's a Red Team Assessment.

To get a Forest Global Catalog we can use the command :


and then we can query each name from here to basically get information about users in that Forest via some other scripts.

Enumerate Which Computers a User can log in to in the Domain :

Find-GPOLocation -UserName <username>
Find-GPOLocation -UserName <username> -LocalGroup <GroupName>

Find Computer Admins via GPU :

Find-GPOComputerAdmin -ComputerName <computername>

To identify which AD groups have admin rights to which computers we would we can use the following :

Get-NetGPOGroup -GroupName "Local Admin"