Depending on your environment, default well-known containers may have been renamed or, for example, default locations for new users and computers may have been changed using REDIRUSR.EXE and REDIRCMP.EXE. If you need the actual DNs, you have to read the WKOs from domain object and look at the GUID part because those are fixed:
PowerShell
$server = "<server>"
$user = "<username>"
$pwd = "<password>"
$rootDSE = [System.DirectoryServices.DirectoryEntry]::new("LDAP://$server/RootDSE",$user,$pwd,[System.DirectoryServices.AuthenticationTypes]::Secure)
$rootDSE.RefreshCache()
$domain = $rootDSE.defaultNamingContext
$domainEntry = [System.DirectoryServices.DirectoryEntry]::new("LDAP://$server/$domain",$user,$pwd,[System.DirectoryServices.AuthenticationTypes]::Secure)
$domainEntry.RefreshCache()
foreach ($wko in $domainEntry.wellKnownObjects) {
$type = $wko.GetType()
$dn = $type.InvokeMember("DNString", [System.Reflection.BindingFlags]::GetProperty, $null, $wko, $null)
$guidarr = $type.InvokeMember("BinaryValue", [System.Reflection.BindingFlags]::GetProperty, $null, $wko, $null)
$guid = ([System.Guid]::new($guidarr)).Guid
"{$($guid)} $dn"
}The output will look like this (this is all documented in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8 btw., and of you look closely, you will notice that the Managed Service Accounts container is missing because no xMSAs existed in that domain at that time):
{aff02762-c21f-0d41-8e3b-b10615bb5b0f} CN=NTDS Quotas,DC=tailspin-lab,DC=de
{a492bef4-77c7-5e48-878e-9421d53087db} CN=Microsoft,CN=Program Data,DC=tailspin-lab,DC=de
{080c4609-1eae-4e4a-a0f6-4aee7daa1e5a} CN=Program Data,DC=tailspin-lab,DC=de
{670cb722-6ed5-fb4e-91e9-300fca3dc1aa} CN=ForeignSecurityPrincipals,DC=tailspin-lab,DC=de
{80eae218-4f68-d211-b9aa-00c04f79f805} CN=Deleted Objects,DC=tailspin-lab,DC=de
{87c1ba2f-de0a-d211-97c4-00c04fd8d5cd} CN=Infrastructure,DC=tailspin-lab,DC=de
{b75381ab-8876-d111-aded-00c04fd8d5cd} CN=LostAndFound,DC=tailspin-lab,DC=de
{f3301dab-8876-d111-aded-00c04fd8d5cd} CN=System,DC=tailspin-lab,DC=de
{ffb261a3-d2ff-d111-aa4b-00c04fd7d83a} OU=Domain Controllers,DC=tailspin-lab,DC=de
{252831aa-8876-d111-aded-00c04fd8d5cd} CN=Computers,DC=tailspin-lab,DC=de
{15cad1a9-8876-d111-aded-00c04fd8d5cd} CN=Users,DC=tailspin-lab,DC=deA function that returns just one WKO could look like this:
function Get-WKO {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false)]
[string]$Domain,
[Parameter(Mandatory=$true)]
[ValidateSet('DeletedObjects','System','FSP')]
[string]$WellKnownObject
)
$wkoMAP = @{
'DeletedObjects' = '80eae218-4f68-d211-b9aa-00c04f79f805'
'System' = 'f3301dab-8876-d111-aded-00c04fd8d5cd'
'FSP' = '670cb722-6ed5-fb4e-91e9-300fca3dc1aa'
# add the rest
}
$wkoGuid = $wkoMAP[$WellKnownObject]
if ([string]::IsNullOrWhiteSpace($Domain)) {
$Domain = [System.Environment]::UserDomainName
}
$configNC = ([ADSI]"LDAP://rootDSE").configurationNamingContext[0]
$ds = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$configNC")
$ds.Filter = "(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=3)(|(netBIOSName=$Domain)(dnsRoot=$Domain)))"
$ds.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
$null = $ds.PropertiesToLoad.Add('ncName')
$null = $ds.PropertiesToLoad.Add('dnsRoot')
$domainSR = $ds.FindOne()
if ($domainSR.Count -eq 0) { return }
$domainNC = $domainSR.Properties['ncName'][0]
$domainFQDN = $domainSR.Properties['dnsRoot'][0]
$domainEntry = [System.DirectoryServices.DirectoryEntry]::new("LDAP://$domainFQDN/$domainNC")
$domainEntry.RefreshCache()
foreach ($wko in $domainEntry.wellKnownObjects) {
$type = $wko.GetType()
$guidarr = $type.InvokeMember("BinaryValue", [System.Reflection.BindingFlags]::GetProperty, $null, $wko, $null)
$guid = ([System.Guid]::new($guidarr)).Guid
if ($guid -eq $wkoGuid) {
return $type.InvokeMember("DNString", [System.Reflection.BindingFlags]::GetProperty, $null, $wko, $null)
}
}
}