Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netgmsa queries Active Directory for all objects of class msDS-GroupManagedServiceAccount, returning account identity, object SID, description, enabled status, and — critically — the msDS-ManagedPassword blob when the LDAP connection is encrypted and the authenticating account appears in the PrincipalsAllowedToRetrieveManagedPassword attribute. Because the managed password is only served over an encrypted channel, the --tls flag is a hard requirement for password retrieval; without it pywerview silently removes msds-managedpassword from the attribute list and returns everything else. Use --resolve-sids to translate the raw SIDs stored in msDS-GroupMSAMembership into human-readable distinguished names, making it easier to understand which principals are authorised to read the password.
Retrieving the msDS-ManagedPassword attribute requires two conditions to be met simultaneously: the connection must be established over LDAPS (pass --tls) and the authenticating account must be listed in the target gMSA’s PrincipalsAllowedToRetrieveManagedPassword. If either condition is not met, the attribute will be absent from the output — no error is raised.

Flags

Global flags

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username used to connect to the Domain Controller.
-p, --password
string
Password associated with the username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. Use :$NTHASH to supply only the NT hash.
-k
boolean
Use Kerberos authentication. Credentials are sourced from the KRB5CCNAME ccache file based on target parameters, falling back to the values provided on the command line.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller. Required to retrieve msDS-ManagedPassword.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM bind.
-l, --logging-level
string
STDERR logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default key-value output.

Command-specific flags

--sid
string
Filter results by object SID. Wildcards accepted.
--sam-account-name
string
Filter results by samAccountName. Wildcards accepted (e.g. gMSA-*).
--name
string
Filter results by object name attribute. Wildcards accepted.
-d, --domain
string
Target domain to query. Defaults to the domain of the authenticating user.
-a, --ads-path
string
Additional ADS path to narrow the LDAP search base (e.g. CN=Managed Service Accounts,DC=contoso,DC=com).
--resolve-sids
boolean
Resolve SIDs found in PrincipalsAllowedToRetrieveManagedPassword (msDS-GroupMSAMembership) to their distinguished names.

Examples

# List all gMSA accounts (no TLS — msDS-ManagedPassword is not returned)
pywerview get-netgmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# List gMSA accounts and resolve the principals allowed to retrieve the password
pywerview get-netgmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --resolve-sids

# Retrieve managed password over TLS (account must be in PrincipalsAllowedToRetrieveManagedPassword)
pywerview get-netgmsa -t dc.contoso.com -u 'SRV-MAIL$' --hashes :$NT_HASH -w contoso.com --tls --resolve-sids

# Filter to a specific gMSA by samAccountName
pywerview get-netgmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sam-account-name 'gMSA-01$'

# JSON output for downstream processing
pywerview get-netgmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json --resolve-sids

Example output (without TLS)

distinguishedname:       CN=gMSA-01,CN=Managed Service Accounts,DC=contoso,DC=com
objectsid:               S-1-5-21-863927164-4106933278-53377030-3115
samaccountname:          gMSA-01$
msds-groupmsamembership: CN=SRV-MAIL,CN=Computers,DC=contoso,DC=com
description:
enabled:                 True

Example output (with --tls)

distinguishedname:       CN=gMSA-01,CN=Managed Service Accounts,DC=contoso,DC=com
objectsid:               S-1-5-21-863927164-4106933278-53377030-3115
samaccountname:          gMSA-01$
msds-managedpassword:    69730ce3914ac6[...]
msds-groupmsamembership: CN=SRV-MAIL,CN=Computers,DC=contoso,DC=com
description:
enabled:                 True

Build docs developers (and LLMs) love

Get started for freeTalk to us