Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

GPOHound and Analysis

GPO analysis tools turn links, ACLs, inheritance, and scope into a pathfinding problem. We use them when manual enumeration becomes too slow or when we need to understand which principals can modify policies that reach important machines.

GPOHound

python3 gpohound.py -u 'student' -p 'student' -d ootw.local -dc 10.10.10.200

BloodHound collection

bloodhound-python -u student -p 'student' -d ootw.local -ns 10.10.10.200 -c All

NetExec LDAP collection

nxc ldap 10.10.10.200 -u student -p 'student' --bloodhound --collection All --dns-server 10.10.10.200

PowerView manual pathing

Import-Module .\PowerView.ps1
Get-DomainGPO | Select-Object displayname,name,gpcfilesyspath
Get-DomainOU -Properties name,gplink,gpoptions | Select-Object name,gplink,gpoptions
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -ResolveGUIDs

Group3r review

Group3r.exe -f output.html

Questions to answer

  • Which GPOs are linked to Domain Controllers?
  • Which GPOs are linked to servers?
  • Which GPOs are editable by non-admin principals?
  • Which OUs have blocked inheritance?
  • Which policies are enforced?
  • Which GPOs have WMI filters?
  • Which SYSVOL paths contain scripts, preferences, or secrets?

Notes

Automated graph output is a shortcut, not a replacement for reading the target GPO and SYSVOL path.

Always confirm the final scope manually before abusing a policy. A bad assumption here can affect far more machines than intended.