Incident Response

ADRecon – Active Directory Recon

ADRecon provides a holistic picture of the current state of AD environment. This tool can be used by Blue Team, Purple Team, Red Team, System Administrators or just security professional to extract and combines various artifacts out of an AD environment.

The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.

The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester.

The following modules included with the tool:

  • Forest
  • Domain
  • Trusts
  • Sites
  • Subnets
  • Default Password Policy
  • Fine Grained Password Policy (if implemented)
  • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles
  • Users and their attributes
  • Service Principal Names (SPNs)
  • Groups and memberships
  • Organizational Units (OUs)
  • ACLs for the Domain, OUs, Root Containers and GroupPolicy objects
  • Group Policy Object details
  • DNS Zones and Records
  • Printers
  • Computers and their attributes
  • LAPS passwords (if implemented)
  • BitLocker Recovery Keys (if implemented)
  • GPOReport (requires RSAT).

Getting Started

These instructions will get you a copy of the tool up and running on your local machine.


  • .NET Framework 3.0 or later (Windows 7 includes 3.0)
  • PowerShell 2.0 or later (Windows 7 includes 2.0)



If you have git installed, you can start by cloning the repository:

git clone

Otherwise, you can download a zip archive of the latest release. The intent is to always keep the master branch in a working state.



To run ADRecon on a domain member host.

PS C:> .ADRecon.ps1

To run ADRecon on a domain member host as a different user.

PS C:>.ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domainusername>

To run ADRecon on a non-member host using LDAP.

PS C:>.ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domainusername>

To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)

PS C:>.ADRecon.ps1 -Protocol ADWS -DomainController <IP or FQDN> -Credential <domainusername> -Collect Domain, DomainControllers

To generate the ADRecon-Report.xlsx based on ADRecon output (CSV Files).

PS C:>.ADRecon.ps1 -GenExcel C:ADRecon-Report-<timestamp>

When you run ADRecon, a ADRecon-Report-<timestamp> folder will be created which will contain ADRecon-Report.xlsx and CSV-Folder with the raw files.


-Protocol <String>
    Which protocol to use; ADWS (default) or LDAP

-DomainController <String>
    Domain Controller IP Address or Domain FQDN.

-Credential <PSCredential>
    Domain Credentials.

-GenExcel <String>
    Path for ADRecon output folder containing the CSV files to generate the ADRecon-Report.xlsx. Use it to generate the ADRecon-Report.xlsx when Microsoft Excel is not installed on the host used to run ADRecon.

-OutputDir <String>
    Path for ADRecon output folder to save the CSV/XML/JSON/HTML files and the ADRecon-Report.xlsx. (The folder specified will be created if it doesn't exist) (Default pwd)

-Collect <String>
    Which modules to run (Comma separated; e.g Forest,Domain. Default all except Kerberoast)
    Valid values include: Forest, Domain, Trusts, Sites, Subnets, PasswordPolicy, FineGrainedPasswordPolicy, DomainControllers, Users, UserSPNs, PasswordAttributes, Groups, GroupMembers, OUs, ACLs, GPOs, gPLinks, GPOReport, DNSZones, Printers, Computers, ComputerSPNs, LAPS, BitLocker, Kerberoast DomainAccountsusedforServiceLogon.

-OutputType <String>
    Output Type; Comma seperated; e.g CSV,STDOUT,Excel (Default STDOUT with -Collect parameter, else CSV and Excel).
    Valid values include: STDOUT, CSV, XML, JSON, HTML, Excel, All (excludes STDOUT).

-DormantTimeSpan <Int>
    Timespan for Dormant accounts. (Default 90 days)

-PassMaxAge <Int>
    Maximum machine account password age. (Default 30 days)

-PageSize <Int>
    The PageSize to set for the LDAP searcher object. (Default 200)

-Threads <Int>
    The number of threads to use during processing objects (Default 10)

-Log <Switch>
    Create ADRecon Log using Start-Transcript

You can download the latest release over here:

To Top

Pin It on Pinterest

Share This