📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • General
  • Display RSoP Summary Data
  • Get List of GPOs in Current Domain
  • Get GPO(s) Which Use Restricted Groups or groups.xml for Interesting Users
  • Get Users Which Are in a Local Group of a Machine Using GPO
  • Get Machines where the given User is a Member of a Specific Group
  • Enumerate what Machines that a Particular User/Group Identity Has Local Admin Rights to
  • Enumerate what Machines that a given User in the Specified Domain Has RDP Access Rights to
  • Export a CSV of All GPO Mappings
  1. Active Directory
  2. Enumeration

GPOs

General

  • Security settings

  • Registry-based policy settings

  • GPP like start/shutdown/log-on/logff script settings

  • Software installation

  • Abused for privesc, backdoors, persistence

Display RSoP Summary Data

gpresult /R

# AD Module
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html

Get List of GPOs in Current Domain

# AD Module
Get-GPO -All

# PowerView
Get-NetGPO
Get-NetGPO | Select displayname
Get-NetGPO -ComputerName ws01.lab.local
Get-DomainGPO -ComputerIdentity windows1.testlab.local

Get GPO(s) Which Use Restricted Groups or groups.xml for Interesting Users

Get-NetGPOGroup

Get Users Which Are in a Local Group of a Machine Using GPO

Find-GPOComputerAdmin -ComputerName ws01.lab.local

Get Machines where the given User is a Member of a Specific Group

Find-GPOLocation -UserName user -Verbose

Enumerate what Machines that a Particular User/Group Identity Has Local Admin Rights to

# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>

Enumerate what Machines that a given User in the Specified Domain Has RDP Access Rights to

Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP

Export a CSV of All GPO Mappings

Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
PreviousOUsNextACLs

Last updated 2 years ago