Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-adobject is the foundational object-lookup command in PywerView. It queries your domain controller over LDAP and returns any Active Directory object — users, groups, computers, or arbitrary objects — that matches a given SID, samAccountName, or display name. Wildcard patterns are accepted for all three identifiers, making it straightforward to enumerate ranges of objects in a single call. You can further narrow results with a custom LDAP filter or limit the returned data to a specific list of attributes, which is useful when working with large directories or piping output into downstream analysis.

Synopsis

pywerview get-adobject -t <DC_IP> -w <DOMAIN> -u <USER> -p <PASSWORD> \
    [--sid <SID> | --sam-account-name <SAM> | --name <NAME>] \
    [-d <DOMAIN>] [-a <ADS_PATH>] \
    [--custom-filter <FILTER>] \
    [--attributes <ATTR> [<ATTR> ...]] \
    [--json] [-l LEVEL]

Parameters

Connection

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain used for authentication. Typically matches the AD domain name (e.g. contoso.com).
-u, --user
string
Username to authenticate with against the Domain Controller.
-p, --password
string
Password associated with the user account.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Credentials are read from the ccache file referenced by the KRB5CCNAME environment variable. Falls back to command-line credentials if no valid ticket is found.
--tls
boolean
Force a TLS-encrypted connection to the Domain Controller.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default NTLM/SASL binding.

SChannel (Certificate Authentication)

--cert
string
Path to the certificate file associated with the user account, used for SChannel-based authentication.
--key
string
Path to the private key file associated with the user certificate.

Object Selection

--sid
string
SID of the object to query. Wildcards are accepted (e.g. S-1-5-21-*-500).
--sam-account-name
string
samAccountName of the object to query. Wildcards are accepted (e.g. svc_*).
--name
string
Display name of the object to query. Wildcards are accepted (e.g. admin*).
-d, --domain
string
The domain to query. Defaults to the domain of the authenticated user.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base (e.g. OU=Servers,DC=contoso,DC=com).
--custom-filter
string
A raw LDAP filter string appended to the generated query (e.g. (objectClass=computer)). Allows arbitrary filter expressions beyond the built-in selectors.
--attributes
string[]
Space-separated list of LDAP attribute names to return. When omitted, all available attributes are returned.

Output

--json
boolean
Print results as JSON instead of the default human-readable format.
-l, --logging-level
string
Verbosity of log output written to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.

Usage Examples

# Query an object by samAccountName
pywerview get-adobject -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sam-account-name bob

# Query by well-known SID
pywerview get-adobject -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sid S-1-5-21-3623811015-3361044348-30300820-500

# Wildcard name search — find all objects whose name starts with "admin"
pywerview get-adobject -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --name 'admin*'

# Return only specific attributes for a user
pywerview get-adobject -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sam-account-name bob --attributes distinguishedname memberof pwdlastset

# Use a custom LDAP filter to enumerate all computer objects
pywerview get-adobject -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --custom-filter '(objectClass=computer)'

# Authenticate with NTLM hashes and output as JSON
pywerview get-adobject -t dc.contoso.com -u alice --hashes :aad3b435b51404eeaad3b435b51404ee \
    -w contoso.com --sam-account-name bob --json

# Kerberos authentication with a scoped ADS path
pywerview get-adobject -t dc.contoso.com -k -w contoso.com \
    --sam-account-name 'svc_*' -a 'OU=ServiceAccounts,DC=contoso,DC=com'

SChannel Support

When your environment uses certificate-based authentication, pass the user certificate and its private key with --cert and --key. These flags enable SChannel authentication over LDAPS and require that --tls is also set (or that the DC is configured to accept TLS). 
pywerview get-adobject -t dc.contoso.com --tls \
    --cert user.pem --key user.key \
    -w contoso.com --sam-account-name bob

Build docs developers (and LLMs) love

Get started for freeTalk to us