Domain administrators can use encrypted credentials stored in the so-called cPassword to create group policies. Microsoft accidentally released the key used for encryption, so in unpatched servers (typically Server 2012 and before) any domain user can access the SYSVOL and decrypt cPassword to obtain domain administrator credentials.
Exploit: Metasploit
Metasploit module smb_enum_gpp can be used to access SYSVOL and decrypt cPassword through SMB.
Exploit: Manual
Manual: The Replication SMB share can be accessed by all domain users and is not listed by default (unless the share was misconfigured with anonymous access).
prompt off
recurse on
mget *Look for the cPassword attribute in Groups.xml in the downloaded files. Use gpp-decrypt $CPASSWORD to decrypt the attribute into a valid password. The corresponding username is also in the XML file.