Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netgroupmember retrieves the members of a specified domain group and is an essential tool for mapping privilege chains in Active Directory. When no group name is provided, the command falls back to the Domain Admins group by automatically resolving the domain SID. For environments with deeply nested groups, the -r/--recurse flag causes any member that is itself a group to be expanded, ensuring every transitive human or computer account is surfaced. For even faster enumeration of nested membership, --use-matching-rule offloads the recursion entirely to the LDAP server using the LDAP_MATCHING_RULE_IN_CHAIN OID (1.2.840.113556.1.4.1941), which avoids multiple round-trip queries at the cost of cross-domain visibility.

Global Flags

These flags are shared across all PywerView commands that communicate with a Domain Controller.
-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to authenticate to the Domain Controller.
-p, --password
string
Password associated with the authenticating user.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file; falls back to command-line credentials if none are found.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default NTLM/Kerberos binding.
-l, --logging-level
string
Stderr logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default human-readable output.

Command Flags

--groupname
string
Name of the group whose members to retrieve. Wildcards are accepted. When omitted, the command automatically targets the Domain Admins group by resolving the domain’s SID.
--sid
string
SID of the group to query. Used as an alternative to --groupname when the group name is unknown or ambiguous.
-d, --domain
string
The domain to query. Defaults to the domain of the authenticating user.
-a, --ads-path
string
Additional LDAP ADS path to constrain the search (e.g. OU=Groups,DC=contoso,DC=com).
-r, --recurse
boolean
If a group member is itself a group, recursively resolve its members as well. This ensures all transitive members — human accounts or computer accounts — are included in the output.
--use-matching-rule
boolean
Use the LDAP_MATCHING_RULE_IN_CHAIN OID in the LDAP search query when --recurse is specified. This pushes the recursive resolution to the server side, making it substantially faster than client-side recursion. Has no effect unless --recurse is also set.
--full-data
boolean
Return the full LDAP attribute set for each member object. Without this flag, only a minimal summary (group name, member name, domain, and whether the member is a group) is returned.
--custom-filter
string
Append a raw LDAP filter string to the member query. Combined with the existing filters using a logical AND.

Examples

# Get Domain Admins members (default group when --groupname is omitted)
pywerview get-netgroupmember -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Get members of a specific group
pywerview get-netgroupmember -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Enterprise Admins'

# Recurse into nested groups (client-side)
pywerview get-netgroupmember -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --recurse

# Fast LDAP-side recursion using LDAP_MATCHING_RULE_IN_CHAIN
pywerview get-netgroupmember -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --recurse --use-matching-rule

# Get full member details
pywerview get-netgroupmember -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --full-data
--use-matching-rule uses the LDAP_MATCHING_RULE_IN_CHAIN OID for server-side recursion, which is much faster than the default client-side approach. However, it will not reveal cross-domain group memberships — members whose accounts live in a different trusted domain will be silently omitted from the results. Use client-side recursion (--recurse without --use-matching-rule) when cross-domain completeness matters.
Combine --recurse with --json to capture the full transitive membership tree in a machine-readable format. This is especially useful when feeding results into external tools or scripts for further analysis — for example, piping into jq to extract only unique member names: ... --recurse --json | jq '.[].membername'.

Build docs developers (and LLMs) love

Get started for freeTalk to us