GPO analysis tools turn links, ACLs, inheritance, and scope into a pathfinding problem. We use them when manual enumeration becomes too slow or when we need to understand which principals can modify policies that reach important machines.
GPOHound
python3 gpohound.py -u 'student' -p 'student' -d ootw.local -dc 10.10.10.200
BloodHound collection
bloodhound-python -u student -p 'student' -d ootw.local -ns 10.10.10.200 -c All
NetExec LDAP collection
nxc ldap 10.10.10.200 -u student -p 'student' --bloodhound --collection All --dns-server 10.10.10.200
PowerView manual pathing
Import-Module .\PowerView.ps1
Get-DomainGPO | Select-Object displayname,name,gpcfilesyspath
Get-DomainOU -Properties name,gplink,gpoptions | Select-Object name,gplink,gpoptions
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -ResolveGUIDs
Group3r review
Group3r.exe -f output.html
Questions to answer
- Which GPOs are linked to Domain Controllers?
- Which GPOs are linked to servers?
- Which GPOs are editable by non-admin principals?
- Which OUs have blocked inheritance?
- Which policies are enforced?
- Which GPOs have WMI filters?
- Which SYSVOL paths contain scripts, preferences, or secrets?
Notes
Automated graph output is a shortcut, not a replacement for reading the target GPO and SYSVOL path.
Always confirm the final scope manually before abusing a policy. A bad assumption here can affect far more machines than intended.