GPOs
General
Security settings
Registry-based policy settings
GPP like start/shutdown/log-on/logff script settings
Software installation
Abused for privesc, backdoors, persistence
Display RSoP Summary Data
gpresult /R
# AD Module
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
Get List of GPOs in Current Domain
# AD Module
Get-GPO -All
# PowerView
Get-NetGPO
Get-NetGPO | Select displayname
Get-NetGPO -ComputerName ws01.lab.local
Get-DomainGPO -ComputerIdentity windows1.testlab.local
Get GPO(s) Which Use Restricted Groups or groups.xml for Interesting Users
Get-NetGPOGroup
Get Users Which Are in a Local Group of a Machine Using GPO
Find-GPOComputerAdmin -ComputerName ws01.lab.local
Get Machines where the given User is a Member of a Specific Group
Find-GPOLocation -UserName user -Verbose
Enumerate what Machines that a Particular User/Group Identity Has Local Admin Rights to
# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
Enumerate what Machines that a given User in the Specified Domain Has RDP Access Rights to
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
Export a CSV of All GPO Mappings
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
Last updated