Group Policy is one of the highest-impact control planes in Active Directory. A GPO has two halves: the Group Policy Container in LDAP and the Group Policy Template in SYSVOL. The LDAP object stores metadata such as the display name, GUID, version, permissions, WMI filter, and file path. SYSVOL stores the files that clients read when applying the policy.
We treat GPO abuse as a scope problem first. A policy is dangerous only where it applies. A GPO linked to a workstation OU gives workstation impact. A GPO linked to the Domain Controllers OU is Tier 0 impact. A GPO linked at the domain root can affect a very large blast radius, depending on security filtering, WMI filters, inheritance, and link order.
The important LDAP attributes are gPCFileSysPath, gPCMachineExtensionNames, gPCUserExtensionNames, versionNumber, gPCWQLFilter, gPLink, and gPOptions. gPLink lives on the domain, OU, or site object and tells clients which GPOs apply. gPOptions controls inheritance behavior. The SYSVOL path usually looks like \\ootw.local\SYSVOL\ootw.local\Policies\{GUID}.
The offensive primitives are direct. If we can read SYSVOL, we hunt secrets and scripts. If we can edit an existing linked GPO, we can push scheduled tasks, local group membership, registry changes, services, or scripts. If we can create and link a new GPO, we can introduce a new policy path. If we can modify links or WMI filters, we can change the scope of an existing policy.
Core tools: