Skip to main content
The Sam tool connects to the Security Accounts Manager on a remote Windows system and enumerates user accounts, groups, and aliases. It queries general and account-level info for each object returned.

Subcommands

CommandDescription
enumusersEnumerate user accounts
enumgroupsEnumerate groups
enumaliasesEnumerate aliases
For help on any subcommand, run Sam <subcommand> -h.

Common options

All Sam subcommands share these authentication and connection options:
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for pass-the-hash authentication.
-Anonymous
boolean
Use anonymous login.
-Kdc (-K)
host:port
KDC endpoint. Required to enable Kerberos.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-AesKey
HexString
AES-128 or AES-256 Kerberos key.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-EncryptRpc
boolean
Encrypt RPC messages.
-PreferSmb
boolean
Connect over a named pipe instead of TCP when supported.
-Socks5
host:port
SOCKS5 proxy endpoint.

enumusers

Enumerates user accounts from the SAM database on a remote system. For each user, Sam enumusers queries the general account info and returns details such as the account name, SID, full name, last logon time, and password information. 
Sam enumusers [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-OutputFields
string[]
Fields to display. Available: AccountName, Domain, AccountType, Id, Sid, FullName, AdminComment, PasswordLastSet, LastLogon, BadPasswordCount.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-ContinueOnError
boolean
default:"true"
Continue even if errors occur for individual accounts.

Examples

# Enumerate all users with default fields
Sam enumusers LUMON-DC1 -UserName milchick -Password Br3@kr00m!

# Enumerate users with full details
Sam enumusers LUMON-DC1 -UserName milchick -Password Br3@kr00m! -OutputFields AccountName,Sid,FullName,PasswordLastSet,LastLogon,BadPasswordCount

# Output as JSON
Sam enumusers LUMON-DC1 -UserName milchick -Password Br3@kr00m! -OutputStyle Json
  • Lsa — enumerate LSA policy accounts, manage privileges and access rights
  • Kerb — request Kerberos tickets for authentication

Build docs developers (and LLMs) love

Get started for freeTalk to us