4.2 - Group Policy

Group Policy

A Group Policy Object (GPO) is a set of configurations that control the behavior of computers and users in an Active Directory environment. GPOs allow administrators to enforce security policies, software installations, and other system settings across the domain.

Key Components of GPOs

• Computer Configuration – Policies applied to computers regardless of which user logs in.

• User Configuration – Policies applied to users regardless of which computer they use.

A GPO is a virtual collection of policy settings, security permissions applicable to users and computers and they can be linked to domains, sites and OUs.

Low security level (overly permissive) and misconfiguration regarding GPO (especially into OUs context) are a good attack vector.

Enumerate GPO using PowerView

• Get list of GPO in current domain

  Get-DomainGPO
  Get-DomainGPO | select displayname
  Get-DomainGPO -ComputerIdentity dcorp-student1

• Get GPOs which use Restricted Groups or groups.xml for interesting users

  Get-DomainGPOLocalGroup

• Get users which are in a local group of a machine using GPO

  Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

• Get machines where the given user is member of a specific group

  Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

• Get OUs in a domain

  Get-DomainOU
  Get-ADOrganizationalUnit -Filter * -Properties *

• Get GPO applied on an OU, read GPOname from gplink attribute from Get-NetOU

• Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE...........}"

Another good way is using BloodHound.