<#Now, I'm assuming that whatever device I'm using has the RSAT tools installe

1. <#
2. Now, I'm assuming that whatever device I'm using has the RSAT tools installed on it, otherwise I'm kinda boned. I'm also making the assumption that "FT" and "FL" don't really count as additional commands, as they just format the output of what I'm looking for to be more readable. I'd start by opening up powershell using the "-executionpolicy bypass" option in order to make sure that none of my commands would get rejected and then from my prompt, these would probably be my 5 commands:
3. #>
4. Get-ADDomainController
5. <#
6. this will give me the DC my client was authenticated against, which is a useful bit of info that I can use later on in any more advanced. It'll also spit out a ton of info about the site I'm at some OU information.
7. #>
8. Get-DhcpServerv4Scope
9. <#
10. with no parameters, this should give me all of the DHCP scopes in the environment, giving me a huge amount of knowledge about the network architecture
11. #>
12. Get-ADGroupMember "Domain Admins"
13. <#
14. Hey look at that, I know all of your domain admins now as well as what OU they are located in. That's some handy info I can use for phishing later on.
15. #>
16. Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion
17. <#
18. This command will give me a list of all of your computers in AD. If I had exported this to a csv using either "Export-csv" or just using ">" to pipe the command into a file I would have a really nice hardware inventory I could work off of.)
19. Thats all I can come up with at the moment. But, I feel like you can learn a lot from those commands. I'm sure others can learn more from less commands, but my out-of-the-box thinking cap isn't on right now.
20. #>