Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netsmsa queries Active Directory for all objects of class msDS-ManagedServiceAccount, the older, single-host variant of Managed Service Accounts. For each account the command returns the samAccountName, distinguished name, object SID, description, the computer it is bound to (msDS-HostServiceAccountBL), and a derived Enabled field based on the userAccountControl flags. Because sMSA accounts are scoped to exactly one machine, discovery is useful during assessments to identify service accounts, understand the host-to-account relationship, and detect any misconfigured or orphaned accounts across the domain.
gMSA vs sMSA: Group Managed Service Accounts (msDS-GroupManagedServiceAccount) can be shared across many computers and support automatic password retrieval over LDAPS. Standalone Managed Service Accounts (msDS-ManagedServiceAccount) predate gMSA and are restricted to a single computer — the host is recorded in msDS-HostServiceAccountBL. sMSA passwords are managed automatically by the domain but cannot be retrieved via LDAP the way gMSA passwords can. Where possible, modern deployments favour gMSA. Use get-netgmsa to enumerate gMSA accounts.

Flags

Global flags

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username used to connect to the Domain Controller.
-p, --password
string
Password associated with the username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. Use :$NTHASH to supply only the NT hash.
-k
boolean
Use Kerberos authentication. Credentials are sourced from the KRB5CCNAME ccache file based on target parameters, falling back to the values provided on the command line.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM bind.
-l, --logging-level
string
STDERR logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default key-value output.

Command-specific flags

--sid
string
Filter results by object SID. Wildcards accepted.
--sam-account-name
string
Filter results by samAccountName. Wildcards accepted (e.g. svc*$).
--name
string
Filter results by object name attribute. Wildcards accepted.
-d, --domain
string
Target domain to query. Defaults to the domain of the authenticating user.
-a, --ads-path
string
Additional ADS path to narrow the LDAP search base (e.g. CN=Managed Service Accounts,DC=contoso,DC=com).

Examples

# List all sMSA accounts in the domain
pywerview get-netsmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Find a specific sMSA by samAccountName
pywerview get-netsmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sam-account-name 'svcAccount$'

# Filter using a wildcard to find all service accounts starting with 'svc'
pywerview get-netsmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sam-account-name 'svc*'

# Pass-the-hash authentication
pywerview get-netsmsa -t dc.contoso.com -u alice --hashes :$NT_HASH -w contoso.com

# JSON output for downstream processing or scripting
pywerview get-netsmsa -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json

Example output

distinguishedname:            CN=sMSA-01,CN=Managed Service Accounts,DC=contoso,DC=com
objectsid:                    S-1-5-21-863927164-4106933278-53377030-4201
samaccountname:               sMSA-01$
msds-hostserviceaccountbl:    CN=WEB-SRV01,CN=Computers,DC=contoso,DC=com
description:
enabled:                      True

Build docs developers (and LLMs) love

Get started for freeTalk to us