Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


An LDAP based Active Directory object (users, groups, and computers) enumeration tool.


ad-ldap-enum is a Python script developed to collect users/computers and their group memberships from Active Directory. In large Active Directory environments, tools such as NBTEnum were not performing fast enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and quickly build out group membership. ad-ldap-enum outputs three tab delimited files:

  • Domain_Group_Membership.csv
  • Extended_Domain_User_Information.csv
  • Extended_Domain_Computer_Information.csv

The first file contains users, computers, groups, and their memberships. The second file contains users and extra information about the users from Active Directory (e.g. a user's home folder or email address). The third file contains computers in the 'Domain Computers' group and extra information about them from Active Directory (e.g. operating system type and service pack version). ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user's actual group membership. This tool also supports password and Pass-the-Hash (PtH) LM:NTLM style authentication. ad-ldap-enum also supports LDAP over SSL/TLS connections, IPv4, and IPv6 networks.


The package primarily uses the ldap3 Python package to execute the LDAP connections and queries. To install all requirements, please run the below command:

python -m pip install -r 'requirements.txt'

Additionally, this tool has been built and tested against Python v3.10 on both Kali Linux and Windows 10. Regardless, this tool aims to be OS-agnostic working on both UNIX/Linux systems and Windows. Furthermore, Python 2.X will not be supported.


Please see the tool's help menu below:

usage: [-h] (-n | -u USERNAME | -dn DISTINGUISHED_NAME)
                       [-p PASSWORD] [-P] [-s] [-t TIMEOUT] [-ql QUERY_LIMIT]
                       [--verbosity {OFF,ERROR,BASIC,PROTOCOL,NETWORK,EXTENDED}]
                       [--legacy] [-x] [-o FILENAME_PREPEND] -l LDAP_SERVER
                       [--port PORT] -d DOMAIN [-a ALT_DOMAIN] [-e] [-4] [-6]

Active Directory LDAP Enumerator

optional arguments:
  -h, --help            show this help message and exit
  -n, --null            Use a null binding to authenticate to LDAP.
  -u USERNAME, --username USERNAME
                        Authentication account's username.
                        Authentication account's distinguished name
  -p PASSWORD, --password PASSWORD
                        Authentication account's password or "LM:NTLM".
  -P, --prompt          Prompt for the authentication account's password.
  -s, --secure          Connect to LDAP over SSL/TLS
  -t TIMEOUT, --timeout TIMEOUT
                        LDAP server connection timeout in seconds
  -ql QUERY_LIMIT, --query_limit QUERY_LIMIT
                        LDAP server query timeout in seconds
                        Log file LDAP verbosity level
  --legacy              Gather and output attributes using the old python-ldap
                        package .tsv format (will be deprecated)
  -x, --excel           Output an .XLSX with all 3 sheets: users/groups/computers
                        Prepend a string to all output file names.

Server Parameters:
                        FQDN/IP address of the LDAP server.
  --port PORT           TCP port of the LDAP server.
  -d DOMAIN, --domain DOMAIN
                        Authentication account's domain. If an alternative domain
                        is not specified, this will be also used as the Base DN
                        for searching LDAP.
  -a ALT_DOMAIN, --alt-domain ALT_DOMAIN
                        Alternative FQDN to use as the Base DN for searching LDAP.
  -e, --nested          Expand nested groups.
  -4, --inet            Only use IPv4 networking (default prefer IPv4)
  -6, --inet6           Only use IPv6 networking (default prefer IPv4)


Please see some examples below:

Password authentication

python '' -d -l -u 'Administrator' -p 'P@ssw0rd' -o 'ad-ldap-enum_2' --verbosity BASIC -lf 'ad-ldap-enum_Log.txt'

Pass-the-Hash LDAPS authentication

python '' -d -l -s -u 'Administrator' -p 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'


If you would like to add more attributes to the non-legacy version, the following steps can be quickly added:

  1. Find the attribute's formatted name at All Active Directory Attributes
    1. Please note that modifying the group output may be a little more difficult.
  2. Append the attribute to the applicable object list within user_attributes, group_attributes, or computer_attributes
  3. Update the object's class to have a default value (i.e., distinguished_name = '')
  4. Update the object's class to have the __init__ function parse the retrieved attribute
  5. Update the object's output section to include appending the new attribute header and value

Planned Features

We should plan to include the following features moving forward:

  • Kerberos authentication (preferably not using the Impacket suite so that the tool can be OS-agnostic)
  • LDAP signing
  • LDAP channel binding
  • ObjectSID retrieval

Pull requests are welcome!

Assorted Links

Please see some assorted reference links and similar projects:


An LDAP based Active Directory user and group enumeration tool








No releases published


No packages published