Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netgroup provides two complementary modes of operation in a single command. Without --username, it enumerates groups in the domain — by default returning only the samAccountName of each group, or the full attribute set when --full-data is supplied. With --username, the command pivots to a membership perspective: it resolves which groups the specified user belongs to, following nested group membership recursively so that indirect memberships via nested groups are also surfaced. Filtering by --admin-count or --sid helps focus the output on privileged groups of interest during an Active Directory assessment.

Global Flags

These flags are shared across all PywerView commands that communicate with a Domain Controller.
-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to authenticate to the Domain Controller.
-p, --password
string
Password associated with the authenticating user.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file; falls back to command-line credentials if none are found.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default NTLM/Kerberos binding.
-l, --logging-level
string
Stderr logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default human-readable output.

Command Flags

--groupname
string
default:"*"
Name of the group to query. Wildcards are accepted (e.g. Admin*). Defaults to *, which matches all groups. Mutually used with --sid — if a SID is provided, --groupname is ignored.
--sid
string
Query a group by its Security Identifier (SID) instead of its name. When specified, --groupname is ignored.
--username
string
SAM account name of a user (wildcards accepted). When provided, the command switches to membership mode and returns the names of all groups that user belongs to, including nested group memberships.
-d, --domain
string
The domain to query. Defaults to the domain of the authenticating user.
-a, --ads-path
string
Additional LDAP ADS path to constrain the search (e.g. OU=Groups,DC=contoso,DC=com).
--full-data
boolean
Return the full set of LDAP attributes for each matching group. When omitted, only the samAccountName of each group is returned, which is significantly faster for large directories.
--admin-count
boolean
Return only groups where adminCount=1, identifying groups that are or have been under AdminSDHolder protection — typically high-privilege groups like Domain Admins or Schema Admins.
--custom-filter
string
Append a raw LDAP filter string to the base group query (e.g. (description=*admin*)). Combined with the existing filters using a logical AND.

Examples

# List all groups in the domain (samAccountName only)
pywerview get-netgroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Find all groups a user belongs to (including nested)
pywerview get-netgroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --username bob

# Get full info on the Domain Admins group
pywerview get-netgroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --full-data

# Find privileged/protected groups (adminCount=1)
pywerview get-netgroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --admin-count

# Search groups by wildcard name
pywerview get-netgroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --groupname 'Admin*'

Build docs developers (and LLMs) love

Get started for freeTalk to us