AD Attack Defense
# check user mohsen groups
net user mohsen /domain
# check with user is in DA:
net group "domain admins" /domain
we can disable SAM protocol for prevent call net user function for local user
we make GPO with name sam_disable and assign to domain admin
we sent below policie and only admin can call this function
gpupdate /force
attacker use ADSI query !
([adsisearcher]"(&(objectCategory=group)(cn=Domain Admins))").FindAll() | ForEach-Object {$_.Properties.member}