TestimoX

ADPlayground PowerShell Module

Edit on GitHub

Install and use the ADPlayground PowerShell module for Active Directory analysis: GPO, ACL, trust, replication, DNS, and user/group management.

ADPlayground PowerShell Module

The ADPlayground module provides a broad cmdlet surface for querying, analyzing, and managing Active Directory. All cmdlets use the ADX noun prefix.

Installation

Install-Module -Name ADPlayground -Scope CurrentUser
Import-Module ADPlayground

Key Cmdlets by Area

GPO Analysis

# List all GPOs with metadata
Get-ADXGpo

# Full GPO inventory with link status
Get-ADXGpoInventory

# Scan for passwords embedded in GPOs (cpassword vulnerability)
Get-ADXGpoPassword

# Find broken GPO links
Get-ADXGpoBrokenLink

# Detect duplicate GPOs
Get-ADXGpoDuplicate

# Analyze GPO script security permissions
Get-ADXGpoScriptSecurity

# Get detailed GPO policy values
Get-ADXGpoPolicyValues -GpoName "Default Domain Policy"

ACL Management

# Read permissions on an AD object
Get-ADXAcl -DistinguishedName "CN=AdminSDHolder,CN=System,DC=corp,DC=contoso,DC=com"

# Audit well-known container permissions
Get-ADXWellKnownFolderAcl

# Restore default permissions on an object
Restore-ADXAclDefault -DistinguishedName "OU=Servers,DC=corp,DC=contoso,DC=com"

# Add an audit rule (SACL)
Add-ADXAclAuditRule -DistinguishedName "DC=corp,DC=contoso,DC=com" `
    -Principal "Everyone" -AuditFlags Success -Rights WriteProperty

Users and Groups

# Query users in list mode with expanded properties
Get-ADXUser -Domain "corp.contoso.com" -View Default

# Query a specific user in identity mode
Get-ADXUser -Identity "alice@corp.contoso.com"

# List privileged groups and their members
Get-ADXPrivilegedGroups

# Find accounts with SID history (potential security risk)
Get-ADXSidHistory

# Detect duplicate SPNs
Get-ADXDuplicateSpn

# Enumerate group members with nesting
Get-ADXGroup -Identity "Domain Admins" -IncludeMembers -RecursiveMembers

Trusts

# Enumerate all trusts
Get-ADXTrust

# Query Azure AD trust relationships
Get-ADXTrustAzure

# Configure trust properties
Set-ADXTrust -TrustName "partner.com" -SidFiltering $true

Replication

# Check replication health
Get-ADXReplicationStatus

# List replication connections
Get-ADXReplicationConnections

# Detect lingering objects across the forest
Get-ADXLingeringObject

# Narrow detection to a specific target/reference DC pair and naming context
Get-ADXLingeringObject `
    -TargetDomainController "dc1.corp.contoso.com" `
    -ReferenceDomainController "dc2.corp.contoso.com" `
    -NamingContext "DC=corp,DC=contoso,DC=com" `
    -IgnoreDeleted

# Preview the default batch cleanup behavior before removing anything
Get-ADXLingeringObject -Domain "corp.contoso.com" |
    Remove-ADXLingeringObject -WhatIf

# Use the surgical backend for one-object-at-a-time cleanup
Get-ADXLingeringObject -Domain "corp.contoso.com" |
    Select-Object -First 1 |
    Remove-ADXLingeringObject -Method RemoveLingeringObject -Confirm

Sites and Subnets

# List AD sites
Get-ADXSites

# Enumerate subnets and site mappings
Get-ADXSubnets

# Check site coverage
Get-ADXSiteCoverage

DNS Analysis

# Check DNS scavenging configuration
Get-ADXDnsScavenging

# Parse DNS debug logs
Get-ADXDnsLogFile -Path "C:\Windows\System32\dns\dns.log"

# Live-tail DNS debug logs
Watch-ADXDnsLog -Path "C:\Windows\System32\dns\dns.log"

LAPS and PKI

# Check LAPS deployment status
Get-ADXLapsDeployment

# Query KDS root key status (for gMSA)
Get-ADXKdsRootKey

Local Group Policy

# Read local GPO settings
Get-ADXLgpo

# Set a local GPO policy value
Set-ADXLgpoPolicy -Path "Software\Policies\Microsoft\Windows\System" `
    -ValueName "EnableSmartScreen" -Value 1 -Type DWord

# Export and import LGPO backups
Save-ADXLgpo -Path "C:\Backups\LGPO"
Restore-ADXLgpo -Path "C:\Backups\LGPO"

Tips

  • Most Get-ADX* cmdlets accept -Domain and -Server parameters for targeting specific domains or DCs.
  • Use Convert-ADXIdentity to translate between SID, DN, and SAM account name formats.
  • The identity resolution cache size can be tuned with Set-ADXIdentityCacheSize for large environments.
  • For lingering-object cleanup, prefer -WhatIf first. RemoveLingeringObject is per object, while DsReplicaVerifyObjects removes the full target/reference/naming-context batch.

Generated Reference