| SYSVOL review | Domain user read access | SYSVOL and NETLOGON | smbclient, nxc, findstr equivalent, grep | Explorer, PowerShell, findstr | Scripts, XML files, old credentials, configuration data |
| GPP secret recovery | Read access to policy XML | Groups.xml, Services.xml, ScheduledTasks.xml, Drives.xml, DataSources.xml | gpp-decrypt, Get-GPPPassword.py style tooling | PowerShell, Get-GPPPassword | Plaintext or reusable credentials |
| Existing GPO edit | GenericWrite, GenericAll, GPO edit rights, or write access to GPC/GPT | Linked GPO | pyGPOAbuse, LDAP/SMB primitives | SharpGPOAbuse, GPMC, PowerShell GPO cmdlets | Code execution or configuration change where the GPO applies |
| Immediate scheduled task | GPO edit rights | Computer side of a GPO | pyGPOAbuse | SharpGPOAbuse, New-GPOImmediateTask | One-shot command execution on scoped machines |
| Local admin via GPO | GPO edit rights | Local Administrators group on scoped machines | pyGPOAbuse with command, manual XML | SharpGPOAbuse, GPMC preferences | Local privilege on scoped machines |
| Startup/logon script | GPO edit rights and SYSVOL write path | Machine\Scripts\Startup, User\Scripts\Logon | SMB file writes plus policy metadata | GPMC, PowerShell, manual SYSVOL edit | Script execution during policy processing |
| Registry policy change | GPO edit rights | Registry.pol or registry preference XML | Manual file tooling, SMB writes | Set-GPRegistryValue, GPMC | Configuration change, persistence, weakening control |
| GPO link modification | Write access over OU/domain/site gPLink | OU, domain, site | LDAP tools, bloodyAD | New-GPLink, Set-GPLink, PowerView | Existing policy applies to a new scope |
| Security filtering abuse | GPO edit rights or ACL control | GPO DACL | LDAP tools, bloodyAD | Set-GPPermission, GPMC, PowerView | Principals are added to or removed from the apply scope |
| GPO creation and linking | Create GPO rights plus link rights | Domain or OU | LDAP/SMB tooling | New-GPO, New-GPLink, GPMC | New policy deployed to chosen scope |
| WMI filter abuse | Write rights over GPO or WMI filter | gPCWQLFilter, msWMI-Som | LDAP tools | GPMC, AD cmdlets | Policy scope narrowed, broadened, or redirected |
| GPO ACL abuse | WriteDACL, WriteOwner, GenericAll, GenericWrite | groupPolicyContainer object | bloodyAD, LDAP queries | PowerView, AD cmdlets | Grant GPO edit rights, take ownership, chain into policy abuse |