GPOs

General

Security settings
Registry-based policy settings
GPP like start/shutdown/log-on/logff script settings
Software installation
Abused for privesc, backdoors, persistence

Display RSoP Summary Data

gpresult /R

# AD Module
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html

Get List of GPOs in Current Domain

# AD Module
Get-GPO -All

# PowerView
Get-NetGPO
Get-NetGPO | Select displayname
Get-NetGPO -ComputerName ws01.lab.local
Get-DomainGPO -ComputerIdentity windows1.testlab.local

Get GPO(s) Which Use Restricted Groups or groups.xml for Interesting Users

Get-NetGPOGroup

Get Users Which Are in a Local Group of a Machine Using GPO

Find-GPOComputerAdmin -ComputerName ws01.lab.local

Get Machines where the given User is a Member of a Specific Group

Find-GPOLocation -UserName user -Verbose

Enumerate what Machines that a Particular User/Group Identity Has Local Admin Rights to

# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>

Enumerate what Machines that a given User in the Specified Domain Has RDP Access Rights to

Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP

Export a CSV of All GPO Mappings

Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv

PreviousOUs NextACLs

Last updated 2 years ago