I will attempt to be flexible and offer as many alternatives as possible when it comes to operational tradecraft. In each of the sections within the RT Codex, I will list where I can the different techniques / commands to achieve the same goal.

When enumerating Domain objects, we have a myriad of options and techniques to do this, but certain techniques may be required in your specific scenario.

For example, It is entirely possible, from experience, during an engagement that certain techniques such as powershell.exe / cmd.exe / net.exe are off the table due to whatever detection / protection may be in place, therefore as operators we need alternatives.

The data should mostly be split up into pivot tables like below where possible.

C:\> echo %USERDNSDOMAIN%

PS C:\> Get-Domain

System.Environment.UserDomainName

PS C:\> Get-ADDomain