# Group policies

## Theory

In certain scenarios, an attacker can gain control over GPOs. Some ACEs can give that control (see [this BlackHat conf](https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf), page 28):

* `WriteProperty` to the `GPC-File-Sys-Path` property of a GPO (specific GUID specified)
* `GenericAll`, `GenericWrite`, `WriteProperty` to any property (no GUID specified)
* `WriteDacl`, `WriteOwner`

This page is about enumeration, for GPO-based attacks, please refer to [this page](/ad/movement/group-policies.md).

## Practice

### PowerView

{% tabs %}
{% tab title="Dump All GPO" %}
We can enumerate interesting GPO's domain Object's ACL using `Get-NetGPO` and `Get-ObjectAcl` from [Powersploit](https://github.com/PowerShellMafia/PowerSploit/)'s [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1).

```powershell
#Enumerate all GPO ACLs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} |select-object @{Name='SecurityIdentifierName';Expression={"$($_.SecurityIdentifier.Value|Convert-SidToName)"}},@{Name='SecurityIdentifierSID';Expression={"$($_.SecurityIdentifier.Value)"}},@{Name='ActiveDirectoryRights';Expression={"$($_.ActiveDirectoryRights)"}},ObjectDN|ConvertTo-Json -Compress|Out-File gpos.json
```

Then, on your attacking machine, we can use the following command to format results

```bash
#From UTF-16LE to UTF-8
dos2unix gpo.json

#Parsing json results
cat gpo.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectDN)"'
```

{% hint style="info" %}
You may resolve computer names linked with a GPO as follow

```powershell
Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}
```

{% endhint %}
{% endtab %}

{% tab title="Interesting GPO" %}
We can enumerate interesting GPOs and GPO's ACLs using `Get-NetGPO` and `Get-ObjectAcl` from [Powersploit](https://github.com/PowerShellMafia/PowerSploit/)'s [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1).

```powershell
#Enumerate GPO's ACLs for an user
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "CONTOSO\YourUser"}

#Policies Applied to a Given Computer
Get-DomainGPO -ComputerIdentity COMPUTER01 -Properties Name, DisplayName

#Enumerate a given GPO
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO

#OUs with a Given Policy Applied
Get-DomainOU -GPLink "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" -Properties DistinguishedName
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#gpo-delegation>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/ad/recon/objects-and-settings/group-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.