Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netpso queries the domain controller via LDAP to enumerate Password Settings Objects (PSOs), which implement Active Directory’s fine-grained password policy feature. Fine-grained policies allow different password requirements — minimum length, complexity, lockout thresholds, and lockout durations — to be applied to specific users or groups rather than the entire domain. From a security perspective, identifying PSOs is valuable because privileged accounts are sometimes placed under more permissive password policies, or because service accounts may have weaker requirements that make them easier to attack. Results include the policy precedence, all password constraints, and the linked user or group principals.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key file associated with --cert.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--psoname
string
default:"*"
PSO name to query. Wildcards are accepted (e.g. Admin*). Defaults to *, which returns all PSOs.
--displayname
string
Display name to filter by. Wildcards are accepted. When specified alongside --psoname, both filters are applied.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base.

Examples

# List all PSOs in the domain
pywerview get-netpso -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Filter PSOs by name wildcard
pywerview get-netpso -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --psoname 'ServiceAccount*'

# Filter PSOs by display name
pywerview get-netpso -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --displayname 'Privileged Users Policy'

# Pass-the-hash authentication
pywerview get-netpso -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication
KRB5CCNAME=alice.ccache pywerview get-netpso -t dc.contoso.com -k -w contoso.com

# JSON output
pywerview get-netpso -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json
Reading PSO objects typically requires domain user privileges at a minimum, but the msDS-PSOAppliesTo attribute that lists linked principals may be restricted to Domain Admins on hardened environments. If the appliesTo field appears empty, you may need elevated credentials.

Build docs developers (and LLMs) love

Get started for freeTalk to us