{ "id": "b08ed10a-a07f-496d-9cab-acf43b1dd0b9", "created_at": "2026-04-06T00:06:36.060642Z", "updated_at": "2026-04-10T03:20:05.568519Z", "deleted_at": null, "sha1_hash": "7e1dc157abd56b85951fb8866ff6915c207a0bd7", "title": "GPP Password Retrieval with PowerShell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64934, "plain_text": "GPP Password Retrieval with PowerShell\r\nArchived: 2026-04-05 17:39:46 UTC\r\nLast week, I read a great post entitled \"Exploiting Windows 2008 Group Policy Preferences\" that I wish I saw\r\nsooner.  The article included a nice Python script to accomplish the task of decrypting passwords that were set\r\nusing the GPP feature in Windows 2008 domains.  However, it looked like something that would be handy to have\r\nin a PowerShell script.  Before I continue, I would like to point out the updated disclaimer, it certainly applies to\r\nthis post.\r\nYou should read the original article, but the quick summary is that its possible for any authenticated user (this\r\nincludes machine accounts) on the domain to decrypt passwords that are enforced with Windows 2008 Group\r\nPolicy Preferences.  From my experience, this practice is common for larger domains which need to set different\r\nlocal administrator (\"500\" account) passwords for different OUs.\r\nPython is an excellent scripting language, but PowerShell has two notable advantages in this specific use-case. \r\nFirst, PowerShell does not require any additional libraries since it has access to the entire .NET framework. \r\nSecond, PowerShell is installed by default on all modern Windows systems to include Windows Server 2008 so it\r\ncan be used right from the machine you are on.\r\nThe following Get-GPPPassword PowerShell script can be used by penetration testers to elevate to local\r\nadministrator privileges (on your way to Domain Admin) by downloading the \"groups.xml\" file from the domain\r\ncontroller and passing it to the script.  The files are typically found in:\r\n\\\\domain\\SYSVOL\\domain\\Policies\\{*}\\Machine\\Preferences\\Groups\\Groups.xml\r\nGet-GPPPassword (Use Updated Version)\r\nTo run the function, just copy and paste the text into powershell and type 'Get-GPPPassword'. This will in effect\r\nbypass the ExecutionPolicy.\r\nWriting this script ended up not being as easy as I originally thought mostly due to never dealing with .NET and\r\ncrypto before.  I would like to thank Matt Graeber for solving the null IV issue, Mike Santiago for general code\r\nimprovements and of course Emilien Giraul (and the Sogeti ESEC Pentest team for their detailed writeup).\r\nTry it out and let me know what you think.\r\n***Update 26 May 2012***\r\nYou can also download the maintained version of the script from the PowerSploit repository on GitHub.  It already\r\nhas some great scripts for Windows post-exploitation on it!\r\nhttps://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html\r\nPage 1 of 2\n\n***Update 16 June 2012***\r\nUpdated the script block with the improvements from Matt Graeber.  Matt wrapped it into a function and\r\napparently saved a puppy by creating a new object (avoiding the use of write-host).\r\n***Update 3 July 2013***\r\nI have reorganized and rewritten the script. You can find the updated version and read about it here.\r\n-Chris\r\nSource: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html\r\nhttps://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html" ], "report_names": [ "gpp-password-retrieval-with-powershell.html" ], "threat_actors": [], "ts_created_at": 1775433996, "ts_updated_at": 1775791205, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e1dc157abd56b85951fb8866ff6915c207a0bd7.pdf", "text": "https://archive.orkl.eu/7e1dc157abd56b85951fb8866ff6915c207a0bd7.txt", "img": "https://archive.orkl.eu/7e1dc157abd56b85951fb8866ff6915c207a0bd7.jpg" } }