Get started with adPEAS v2 in under 5 minutes.
Import-Module .\adPEAS.ps1# From a domain-joined machine (uses current user)
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth
# With credentials
Invoke-adPEAS -Domain "contoso.com" -Credential (Get-Credential)
# With username and password
Invoke-adPEAS -Domain "contoso.com" -Username "john.doe" -Password "P@ssw0rd!"That's it! adPEAS will enumerate the domain and display findings.
adPEAS v2 supports two usage patterns:
Connect and scan in a single command:
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuthEstablish a session first, then run multiple operations:
# Step 1: Connect
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth
# Step 2: Run full scan
Invoke-adPEAS
# Step 3: Run individual checks as needed
Get-KerberoastableAccounts
Get-DomainTrusts
Get-PrivilegedGroupMembers
# Step 4: Disconnect when done
Disconnect-adPEASThe session-based approach is recommended for interactive assessments.
For interactive exploration, enable tab-completion for quick object lookup:
# Connect with tab-completion cache
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth -BuildCompletionCache
# Now use TAB to autocomplete object names:
Get-DomainUser -Identity adm[TAB] # → "administrator"
Get-DomainGroup -Identity Domain[TAB] # → "Domain Admins", "Domain Users", ...
Get-DomainGPO -Identity Def[TAB] # → "Default Domain Policy"See Helper-Functions for more details.
# Uses current Windows credentials
Import-Module .\adPEAS.ps1
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth# Specify credentials explicitly
Import-Module .\adPEAS.ps1
$cred = Get-Credential # Enter domain\username and password
Invoke-adPEAS -Domain "contoso.com" -Credential $cred# Target a specific DC
Invoke-adPEAS -Domain "contoso.com" -Server "dc01.contoso.com" -Username "john.doe" -Password "P@ssw0rd!"# Force LDAPS connection
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -UseLDAPS# Skip Kerberoast, ASREPRoast, and BloodHound collection
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -OPSECOPSEC mode skips:
- Kerberoasting (TGS ticket requests)
- AS-REP Roasting (AS-REQ without pre-auth)
- BloodHound collection (many LDAP queries)
# Include privileged accounts (Domain Admins, etc.) in permission checks
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -IncludePrivilegedBy default, adPEAS filters out expected privileged accounts (Domain Admins, Enterprise Admins, etc.) from permission findings to focus on actual misconfigurations. Use -IncludePrivileged to see ALL accounts with dangerous permissions:
- Privileged accounts are shown in yellow (expected)
- Non-privileged accounts are shown in red (findings)
# Default: All formats - creates adPEAS_out.txt, adPEAS_out.html and adPEAS_out.json
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Outputfile .\adPEAS_out
# Text output only - creates adPEAS_out.txt
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Outputfile .\adPEAS_out -Format Text
# HTML output only - creates adPEAS_out.html
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Outputfile .\adPEAS_out -Format HTML
# Text output without colors (plain text for editors)
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Outputfile .\adPEAS_out -Format Text -NoColor
# Console output without colors
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -NoColorOutput Formats:
| Format | Description |
|---|---|
All (default) |
Creates .txt, .html and .json files |
Text |
Plain text file with ANSI colors (viewable with cat or Get-Content) |
HTML |
Interactive HTML report with filtering, search, and tooltips |
JSON |
Machine-readable JSON export for offline conversion and report comparison |
| Note: The file extension is added automatically based on the format. Just provide the base filename without extension. |
# Enable verbose logging to file for detailed troubleshooting
# -VerboseLogging automatically enables -Verbose for console output
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Outputfile .\report -VerboseLogging
# This writes timestamped verbose messages to the output text file:
# 2026-01-14 18:42:15 [Verbose] [Get-DomainUser] Querying users...
# 2026-01-14 18:42:16 [Verbose] [Get-DomainComputer] Found 50 computersRequirements:
-Outputfilemust be specified (VerboseLogging requires a text file destination)-VerboseLoggingwrites verbose messages to the output file AND automatically enables-Verbosefor console output
Use Case: When you need to analyze what adPEAS is doing internally, or when reporting issues.
# Run modules separately and merge into a single report
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth
# First module - creates report files + JSON cache
Invoke-adPEAS -Module Domain -Outputfile .\audit
# Additional modules - findings are merged into existing report
Invoke-adPEAS -Module Creds,Rights -Outputfile .\audit -OutputAppend
# Even more modules later
Invoke-adPEAS -Module ADCS,Delegation -Outputfile .\audit -OutputAppendHow it works:
- Every run with
-Outputfilecreates up to 3 files:audit.txt,audit.html, andaudit.json - With
-OutputAppend, new findings are merged with existing ones from the JSON file - The HTML report is regenerated with all combined findings
- Text report is appended (new findings added at the end)
- Without
-OutputAppend, existing reports are overwritten (default behavior)
JSON Export:
adPEAS automatically saves all findings to a JSON file (<basename>.json) alongside the report files. This enables:
- Incremental scanning with
-OutputAppend(merge findings across runs) - Post-processing and analysis of scan results in external tools
- Machine-readable export of all findings with full AD object data
Regenerate reports from a previous JSON export — without an active LDAP connection:
Import-Module .\adPEAS.ps1
# Convert JSON to all formats (HTML + Text + re-exported JSON)
Convert-adPEASReport -InputJson ".\audit.json" -OutputPath ".\new_report"
# Only HTML report
Convert-adPEASReport -InputJson ".\audit.json" -OutputPath ".\new_report" -Format HTML
# Only Text report (plain text without ANSI colors)
Convert-adPEASReport -InputJson ".\audit.json" -OutputPath ".\new_report" -Format Text -NoColor
# Re-export JSON with current adPEAS version metadata
Convert-adPEASReport -InputJson ".\audit.json" -OutputPath ".\new_report" -Format JSON
# With license for branded reports
Convert-adPEASReport -InputJson ".\audit.json" -OutputPath ".\new_report" -License ".\license.json"Use cases:
- Regenerate reports with a newer adPEAS version (updated finding definitions, scoring, templates)
- Create reports offline from previously collected scan data
- Convert between output formats (e.g., JSON-only scan to HTML report)
Compare findings across two scans to track remediation progress:
Import-Module .\adPEAS.ps1
# Compare baseline scan with current scan
Compare-adPEASReport -Baseline ".\scan_q1.json" -Current ".\scan_q2.json"
# Save diff report to file
Compare-adPEASReport -Baseline ".\scan_jan.json" -Current ".\scan_apr.json" -OutputPath ".\diff_report"The diff report shows:
- New findings (in current but not in baseline) — potential new vulnerabilities
- Remediated findings (in baseline but not in current) — fixed issues
- Changed findings (severity or value changed between scans)
- Summary statistics with counts per category
# Collect data for BloodHound CE attack path analysis
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth
Invoke-adPEASCollector
# Output: <timestamp>_CONTOSO.COM_BloodHound.zip
# Import the ZIP into BloodHound CESee BloodHound-Collector for detailed documentation.
Run only specific security check categories:
# Single module
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Module Domain
# Multiple modules
Invoke-adPEAS -Domain "contoso.com" -UseWindowsAuth -Module Domain,Accounts,ADCSAvailable modules (ordered by severity/impact):
| Module | Description |
|---|---|
Domain |
Domain configuration, trusts, password policy |
Creds |
Kerberoast, ASREPRoast, credential exposure |
Rights |
ACLs, DCSync, password reset rights |
Delegation |
Unconstrained, constrained, RBCD delegation |
ADCS |
Certificate templates, ESC vulnerabilities |
Accounts |
Privileged accounts, protected users, inactive admins |
GPO |
GPO permissions, local group membership |
Computer |
LAPS, outdated systems, infrastructure servers |
Application |
Exchange, SCCM, SCOM infrastructure |
Bloodhound |
BloodHound CE collector |
Run specific checks without the full scan:
# First establish a session
Connect-adPEAS -Domain "contoso.com" -UseWindowsAuth
# Then run individual checks
Get-KerberoastableAccounts # Find Kerberoastable accounts
Get-ASREPRoastableAccounts # Find AS-REP roastable accounts
Get-UnconstrainedDelegation # Find unconstrained delegation
Get-ConstrainedDelegation # Find constrained delegation
Get-DomainTrusts # Enumerate domain trusts
Get-PrivilegedGroupMembers # List privileged group members
Get-DangerousACLs # Find dangerous ACLs on domain root
Get-ADCSVulnerabilities # Find ADCS misconfigurations
Get-...adPEAS uses color-coded output:
| Symbol | Color | Meaning |
|---|---|---|
[?] |
Blue | Section header / Information |
[!] |
Red | Finding / Vulnerability |
[+] |
Yellow | Interesting hint for investigation |
[*] |
Green | General note / Information |
[#] |
Red on Yellow | Secure configuration |
Example output:
[?] Analyzing Kerberoastable Accounts
[!] Found 3 Kerberoastable service accounts
sAMAccountName: svc_backup
servicePrincipalName: MSSQLSvc/db01.contoso.com:1433
...
[+] Account has weak encryption (RC4)
View current session details:
# Show session info
Get-adPEASSession
# Test connection health
Get-adPEASSession -TestConnectionEnd your session when finished:
Disconnect-adPEAS- Authentication-Methods - Learn about all authentication options
- Security-Checks - Detailed reference for all checks
- Core-Functions - Use individual query functions