The PowerView PowerUsage Series #2

This is the second post in my “PowerView PowerUsage” series. The original post contains a constantly updated list of the entire series. This post will follow the same scenario/solution/explanation format, and is definitely a bit simpler than the first post.

The Scenario

While on an engagement in a multi-domain forest, you end up with a number of computer “short names” (like WINDOWS1) in a file computers.txt that you want to resolve to complete DNS host names.

The Solution

https://gist.github.com/HarmJ0y/c5bf3e37192ba682de182c3b9b066b33

The Explanation

This one’s fairly straight-forward. We use gc (Get-Content) to output the list of computer shortnames, piping it to Sort-Object -Unique as a way to uniquify the list. This unique list is then piped to Get-DomainComputer, by way of % (ForEach-Object), which executes a script block (the code within {…}) so we can then filter by name appropriately.

The -SearchBase X specifies the LDAP source for which to search through objects. In this case, we’re using the Global Catalog (more information here), which is a partial copy of all objects in an Active Directory forest. If we specify GC:// before our current domain (pulled from $ENV:USERDNSDOMAIN) our domain’s copy of the global catalog for the entire forest will be searched instead of just our current domain. Since the “name” and “dnshostname” properties of computer objects are replicated in the global catalog, we can use this approach to quickly map shortnames (name) to fully qualified names, in this case dnshostname.

We accomplish the mapping by adding a custom -LDAPFilter for the name returned from the text list, and –Properties dnshostname will again “optimize to the left” and only return the property we care about.

1 thought on “The PowerView PowerUsage Series #2”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.