Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netou queries the domain controller via LDAP to enumerate all Organizational Unit objects in Active Directory. By default the command returns only the adspath of each OU, providing a compact overview of the domain’s container structure. Adding --full-data switches to the full LDAP attribute set, which is useful when you need to inspect GPO links, membership rules, or other OU-level properties. You can narrow results by OU name using wildcard patterns, or filter specifically to OUs linked to a particular GPO by supplying its GUID via --guid. This makes get-netou a natural companion to get-netgpo and find-gpocomputeradmin when mapping out how Group Policy applies across the environment.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key file associated with --cert.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--ouname
string
default:"*"
OU name to query. Wildcards are accepted (e.g. Server*). Defaults to *, which returns all OUs.
--guid
string
Only return OUs that have the specified GPO GUID present in their gplink property. Useful for identifying which OUs a particular GPO is applied to.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base (e.g. OU=Servers,DC=contoso,DC=com).
--full-data
boolean
Return all LDAP attributes for each OU object. Without this flag only the adspath is returned.

Examples

# List all OUs in the domain (adspath only)
pywerview get-netou -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Filter OUs by name with a wildcard
pywerview get-netou -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --ouname 'Workstations*'

# Return full LDAP attributes for all OUs
pywerview get-netou -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data

# Find OUs linked to a specific GPO by its GUID
pywerview get-netou -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --guid '{31B2F340-016D-11D2-945F-00C04FB984F9}'

# Pass-the-hash authentication
pywerview get-netou -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication
KRB5CCNAME=alice.ccache pywerview get-netou -t dc.contoso.com -k -w contoso.com

# JSON output
pywerview get-netou -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data --json
Combine --guid with get-netgpo to trace which OUs a specific policy applies to. Run get-netgpo --displayname 'My Policy' to retrieve the GPO GUID, then pass it to get-netou --guid to find all linked OUs.

Build docs developers (and LLMs) love

Get started for freeTalk to us