GPO

Enumerate GPO

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

List GPO ACL according to the user who executed the command

Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=<domain>,DC=<local>" -ResolveGUIDs | Where-Object { $_.ObjectAceType -eq "Group-Policy-Container" }

Identify on what system a specific GPO is applied

PowerView

Get-DomainOU -GPLink '<GPO_GUID_NAME>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}

Find all users with RID > 1000 with edit rights over GPO

PowerView

Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' [-Domain <TRUSTED_DOMAIN>] | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}

Find all GPOs that applies to a given machine

PowerView

Get-DomainGPO -ComputerIdentity <MACHINE_FQDN>

List all GPOs that modify localgroup membership

PowerView

Get-DomainGPOLocalGroup

The following command returns the administrators defined by GPO.

Get-DomainGPOUserLocalGroupMapping

References

• https://rastamouse.me/blog/gpo-abuse-pt1/
• https://rastamouse.me/blog/gpo-abuse-pt2/
• https://wald0.com/?p=179