> For the complete documentation index, see [llms.txt](https://www.impacket.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.impacket.wiki/reference/script-reference/ldap-and-ad-scripts.md).

# LDAP & AD Scripts

The LDAP and Active Directory examples show how Impacket binds to LDAP, searches directory objects, reads attributes, and edits security-sensitive properties.

## Script List

* `GetADUsers.py` -- Enumerate Active Directory users
* `GetADComputers.py` -- Enumerate Active Directory computers
* `addcomputer.py` -- Add a computer account to the domain
* `lookupsid.py` -- SID-to-name / name-to-SID lookups (brute-force RID cycling)
* `samrdump.py` -- Dump SAM database via SAMR
* `dacledit.py` -- Read/write DACLs on AD objects
* `owneredit.py` -- Modify object owners in AD
* `rbcd.py` -- Configure Resource-Based Constrained Delegation
* `findDelegation.py` -- Find delegation paths in the domain
* `Get-GPPPassword.py` -- Extract Group Policy Preferences passwords
* `GetLAPSPassword.py` -- Read LAPS passwords from AD
* `CheckLDAPStatus.py` -- Check LDAP signing and channel binding configuration
* `badsuccessor.py` -- AD privilege escalation via group membership

## Main Scripts

| Script               | Purpose                                                                  | What to study                                       |
| -------------------- | ------------------------------------------------------------------------ | --------------------------------------------------- |
| `GetADUsers.py`      | Enumerates domain users and selected attributes                          | LDAP bind, filters, paging, attribute selection     |
| `GetADComputers.py`  | Enumerates computer accounts                                             | LDAP filters for computer objects                   |
| `CheckLDAPStatus.py` | Checks LDAP server behavior and settings                                 | LDAP connection and capability checks               |
| `findDelegation.py`  | Finds unconstrained, constrained, and resource-based delegation settings | Delegation-related attributes                       |
| `GetLAPSPassword.py` | Reads LAPS passwords where allowed                                       | Attribute reads and authorization behavior          |
| `Get-GPPPassword.py` | Finds and decrypts Group Policy Preferences passwords                    | SYSVOL access, XML parsing, password decryption     |
| `addcomputer.py`     | Adds a computer account                                                  | LDAP object creation                                |
| `dacledit.py`        | Reads or modifies a principal's DACL                                     | Security descriptor parsing and ACE editing         |
| `owneredit.py`       | Reads or modifies object ownership                                       | Owner fields in security descriptors                |
| `rbcd.py`            | Reads or modifies resource-based constrained delegation                  | `msDS-AllowedToActOnBehalfOfOtherIdentity` handling |
| `badsuccessor.py`    | Works with delegated managed service account takeover research paths     | Newer AD privilege and delegation mechanics         |
| `raiseChild.py`      | Demonstrates child-to-parent domain escalation conditions                | Trusts, SIDs, and Kerberos relationships            |
| `exchanger.py`       | Abuses Exchange-related permissions and services                         | Exchange/AD permission interactions                 |
| `net.py`             | Windows-like domain and host administration helper                       | Broad account, group, and host operations           |
| `netview.py`         | Enumerates domain network information                                    | AD and SMB enumeration blend                        |

## Enumerating Users

`GetADUsers.py` is a friendly starting point for LDAP enumeration.

```bash
python examples/GetADUsers.py CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

As code, study how it creates an LDAP connection, binds with credentials, builds a search filter, and selects attributes to print.

## Enumerating Computers

`GetADComputers.py` focuses on computer objects.

```bash
python examples/GetADComputers.py CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

Computer accounts are central to Kerberos and domain administration, so this script pairs well with `getST.py`, `rbcd.py`, and `addcomputer.py`.

## Delegation Discovery

`findDelegation.py` searches for delegation settings.

```bash
python examples/findDelegation.py CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

Delegation-related scripts are best read together:

* `findDelegation.py` for discovery.
* `rbcd.py` for resource-based constrained delegation changes.
* `getST.py` for S4U ticket flows.

## Editing DACLs and Owners

`dacledit.py` and `owneredit.py` are important because they show how Impacket handles Active Directory security descriptors.

```bash
python examples/dacledit.py -action read -target 'SomeObject' CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
python examples/owneredit.py -action read -target 'SomeObject' CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

These scripts are useful references for:

* Resolving account names to SIDs.
* Reading `nTSecurityDescriptor`.
* Parsing ACEs.
* Building modified security descriptors.
* Writing changes back over LDAP.

## Computer Account Creation

`addcomputer.py` adds a machine account when the domain policy and caller privileges allow it.

```bash
python examples/addcomputer.py CONTOSO/alice:'Passw0rd!' -computer-name LAB01$ -computer-pass 'ComputerPassw0rd!' -dc-ip 10.10.10.10
```

Study this script for LDAP add operations and required object attributes.

## LAPS and GPP

`GetLAPSPassword.py` and `Get-GPPPassword.py` read sensitive administrative material exposed through AD or SYSVOL paths when permissions allow.

```bash
python examples/GetLAPSPassword.py CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
python examples/Get-GPPPassword.py CONTOSO/alice:'Passw0rd!'@dc01.contoso.local
```

These are good examples for understanding how directory reads, SMB access, and local parsing can combine in one workflow.

## Considerations

LDAP scripts are often affected by domain naming, LDAP signing, channel binding, referrals, and account permissions. When adapting them, keep search base construction, paging, and attribute selection explicit so failures are easier to debug.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.impacket.wiki/reference/script-reference/ldap-and-ad-scripts.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
