Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

Security Filtering

Security filtering controls which users or computers are allowed to apply a linked GPO. A policy can be linked to the right OU and still not apply if the target principal does not have Read and Apply group policy permissions.

List GPO permissions

Get-GPPermission -Name "Misconfigured Policy" -All

Add a computer group to filtering

Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Computers" -TargetType Group -PermissionLevel GpoApply

Add a specific computer

Set-GPPermission -Name "Misconfigured Policy" -TargetName "WS01$" -TargetType Computer -PermissionLevel GpoApply

Add a user group

Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Users" -TargetType Group -PermissionLevel GpoApply

Remove a principal from filtering

Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Users" -TargetType Group -PermissionLevel None

PowerView ACL review

Import-Module .\PowerView.ps1
$GpoDN = "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local"
Get-DomainObjectAcl -Identity $GpoDN -ResolveGUIDs

Linux LDAP review

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local" nTSecurityDescriptor

Force target refresh

Invoke-GPUpdate -Computer ws01.ootw.local -Force -RandomDelayInMinutes 0

Validate from target

gpresult /r
gpresult /h C:\Windows\Temp\gpresult.html

Notes

Security filtering is evaluated after the GPO is linked. Link abuse and filtering abuse often appear together.

Removing Authenticated Users without preserving read permissions for computers can break policy application in confusing ways.