Skip to content

📋 Group Policy

The target of Active Directory is to manage the computers and users of an organization. And part of the managing process is carried out by Group Policy.

The Group Policy is a mechanism that allows to apply a set of rules/actions to the Active Directory network users and computers. Some of the possibilities are:

  • Disable NTLM
  • Require password complexity
  • Execute an scheduled or immediate task
  • Create local users in computers
  • Set a default wallpaper
  • Synchronize files with OneDrive
  • Etc

In order to define the rules, you can create Group Policy Objects (GPOs). Each GPO defines a series of policies that can be applied to specific machines of the domains. Besides, you can create policies that applies to the entire machine or the user sessions. For example, you can execute an script when the computer starts or when an user logs on.

GPO Scope

When creating a GPO, you need to specify to which computers is going to be applied. To do this, you need to link the GPO to one of the following database containers:

  • Domain
  • Organizational Unit (OU)
  • Site (A container to have groups of computers that are close physically, not recommended for GPOs)

There is also possible for a Windows machine to have a Local Group Policy. Therefore, many different GPOs can be applied to a machine at different levels, that are processed in the following order:

  1. Local
  2. Site
  3. Domain
  4. Organizational Unit

Here, the Local GPOs are the ones with the least preference, while the OU GPOs are the ones with the most preference. Therefore, if for example a GPO applied to a Domain contradicts a local GPO, then the domain GPO will be follow.

However, there is also possible for Active Directory GPOs (no local) establishing a rule as No Override. Thus, if a domain policy rule is set, no rules from OUs can contradict that superior rule.

Also, a GPO can have a WMI query associated, that allows to filter the computer to which the GPO will be applied. For example, to only apply the policies to Windows 7 computers.

In a domain, each computer checks for policy updates every 90 minutes, except the Domain Controllers, which do it every 5 minutes. You can also perform an immediate check with gpupdate.

Each GPO is identified by a GUID and is composed by two entities: A Group Policy template and a Group Policy container.

Group Policy template

The Group Policy template is a directory in the SYSVOL share. The templates can be located in \\<domain>\SYSVOL\<domain>\Policies\. Each template directory is named using the GPO GUID.

PS C:\> ls \\etherdrake.local\SYSVOL\etherdrake.local\Policies\

    Directory: \\etherdrake.local\SYSVOL\etherdrake.local\Policies


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/28/2020  10:02 AM                {31B2F340-016D-11D2-945F-00C04FB984F9}
d-----       11/28/2020  10:02 AM                {6AC1786C-016F-11D2-945F-00C04fB984F9}
d-----        4/19/2021   5:12 PM                {BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A}

List of GP templates

Each GPO directory contains the following items:

  • Machine directory: For machine level policies.
  • User directory : For user level policies.
  • GPT.INI: Basic info about the GPO, the Version an DisplayName.

Then, under these directories could very different files and directories where you can find configuration INI files that specify registry keys values, groups members or scripts to execute. And, if you are lucky, maybe you find some credentials in scripts or Group Policy Preferences (GPP) files with cpassword tags. You can use the Get-GPPPasword script to search for GPP credentials.

The Group Policy Preferences is the name used for a set of new policies that were added in Windows Server 2008.

Group Policy container

In order to allow machines to locate the Group Policy templates, the Active Directory database stores information about the GPOs under the CN=Policies,CN=System,DC=<domain>,DC=<com> container. Each GPO is stored in a GroupPolicyContainer object that contains the GUID GPO and the path of the GP template.

PS C:\> Get-ADObject -LDAPFilter "(ObjectClass=GroupPolicyContainer)" -Properties Name, DisplayName,gPCFileSysPath | select Name, DisplayName,GPCFileSysPath | Format-List

Name           : {31B2F340-016D-11D2-945F-00C04FB984F9}
DisplayName    : Default Domain Policy
GPCFileSysPath : \\etherdrake.local\sysvol\etherdrake.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

Name           : {6AC1786C-016F-11D2-945F-00C04fB984F9}
DisplayName    : Default Domain Controllers Policy
GPCFileSysPath : \\etherdrake.local\sysvol\etherdrake.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Name           : {BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A}
DisplayName    : test policy
GPCFileSysPath : \\etherdrake.local\SysVol\etherdrake.local\Policies\{BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A}

List domain GPOs

You should notice that the GPO GUID is different from the GUID used to identify each object in the Active Directory database. Also notice that if you are able to edit the GPCFileSysPath property of a GPO, you could set a path that you control and create a malicious GPO that can contain malicious scripts that will be executed on several machines.

On the other hand, the database objects of domain, OUs and sites are linked to the GPOs by using the GpLink property.

PS C:\> Get-ADObject -LDAPFilter '(gPLink=*)' -Properties CanonicalName,gpLink | select objectclass,CanonicalName,gplink | Format-List

objectclass   : domainDNS
CanonicalName : etherdrake.local/
gplink        : [LDAP://cn={BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A},cn=policies,cn=system,DC=etherdrake,DC=local;1][LDAP://C
                N={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=etherdrake,DC=local;0]

objectclass   : organizationalUnit
CanonicalName : etherdrake.local/Domain Controllers
gplink        : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=etherdrake,DC=local;0]

objectclass   : organizationalUnit
CanonicalName : etherdrake.local/web servers
gplink        : [LDAP://cn={BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A},cn=policies,cn=system,DC=etherdrake,DC=local;0]

List domains and OUs with linked GPOs

PS C:\> Get-ADObject -LDAPFilter '(gPLink=*)' -SearchBase "CN=Configuration,$((Get-ADDomain).DistinguishedName)" -Properties CanonicalName,gpLink | select objectclass,CanonicalName,gplink | Format-List

objectclass   : site
CanonicalName : etherdrake.local/Configuration/Sites/mysite
gplink        : [LDAP://cn={BE864EFE-6C07-4A53-A9D8-7EB6EB36BE5A},cn=policies,cn=system,DC=etherdrake,DC=local;0]

List sites with linked GPOs

A computer can determines the GPOs that are applied to itself by examining the OUs objects to which it belongs and the domain object.

For example a machine in whose computer object is in CN=mypc,OU=workstations,OU=computers,DC=domain,DC=com will apply the GPOs of workstations and computer OU and domain.com domain.