GPOs and OUs
What are OUs?
In Windows 2000 and AD, groups have the same function that they have in Windows NT or other OSs: You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.
To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't.
Enumerate GPO locally
gpresult /v
gpresult /r
Output:
PS C:\Users\Administrator> gpresult /v
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.
Created on 12/3/2023 at 10:31:35 PM
RSOP data for MIKO\Administrator on WIN-9ITB345Q7UU : Logging Mode
-------------------------------------------------------------------
OS Configuration: Primary Domain Controller
OS Version: 10.0.17763
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WIN-9ITB345Q7UU,OU=Domain Controllers,DC=miko,DC=local
Last time Group Policy was applied: 12/3/2023 at 10:29:56 PM
Group Policy was applied from: WIN-9ITB345Q7UU.miko.local
Group Policy slow link threshold: 500 kbps
Domain Name: MIKO
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Disable Defender
DodMozilla Firefox Computer v6r5
Default Domain Controllers Policy
Default Domain Policy
GPO Location
\\DOMAIN.COM\SysVol\dev-studio.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol
Contents of .pol file:
KeyName : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName : Value
ValueType : REG_SZ
ValueLength : 700
ValueData : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
Windows folder" Description="Allows members of the Everyone group to run applications that are located
in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
Path="%WINDIR%\*"/></Conditions></FilePathRule>
Reading contents of registry key:
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
Name Property
---- --------
Appx EnforcementMode : 1
AllowWindows : 0
Dll AllowWindows : 0
Exe EnforcementMode : 1
AllowWindows : 0
Msi EnforcementMode : 1
AllowWindows : 0
Script EnforcementMode : 1
AllowWindows : 0
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe
Name Property
---- --------
921cc481-6e17-4653-8f75-050b80 Value : <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows
acca20 members of the Everyone group to
run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
a61c8b2c-a319-4cd0-9690-d2177c Value : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members
ad7b51 of the Everyone group to run
applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
Path="%WINDIR%\*"/></Conditions></FilePathRule>
Logging
Requires advanced auditing configs to be enable. Found in security.evtx
5136
A directory service object was successfully modified
5136
A directory service object was successfully created
5138
A directory service object was successfully undeleted
5139
A directory service object was successfully moved
5141
A directory service object was successfully deleted
Event Viewer (default config?)
Microsoft-Windows-GroupPolicy/Operational
Investigate
When a scheduled task or file execution is seen on multiple machines, it indicates remote execution or the use of Group Policy. When system logs indicating the use of software deployment tools or Windows Management Instrumentation are not present, it serves as an indication that Group Policy was likely compromised.
Look for last modified in GPO policies:
C:\Windows\sysvol\miko.local\Policies\
PowerShell query to get last modified/created GPOs.
#GetGPO by modified time
Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime
Output:
PS C:\Users\Administrator> Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime
DisplayName ModificationTime CreationTime
----------- ---------------- ------------
DoD Windows Defender Firewall Computer v2r2 12/3/2023 11:41:08 PM 12/3/2023 8:03:36 PM
DoD Google Chrome Computer v2r8 12/3/2023 10:58:42 PM 12/3/2023 8:04:16 PM
DoD Windows 10 Computers v2r8 12/3/2023 10:50:04 PM 12/3/2023 8:04:00 PM
DoD WinSvr 2019 DC Computers v2r8 12/3/2023 9:29:10 PM 12/3/2023 8:19:36 PM
DoD WinSvr 2019 MS Computers v2r8 12/3/2023 9:26:48 PM 12/3/2023 8:19:09 PM
DoD Microsoft Defender Antivirus STIG Computer v2r4 12/3/2023 9:01:48 PM 12/3/2023 8:03:22 PM
DodMozilla Firefox Computer v6r5 12/3/2023 9:01:26 PM 12/3/2023 5:13:59 PM
Enable LocalAccountTokenFilterPolicy 12/3/2023 8:57:26 PM 4/30/2023 8:57:50 PM
DoD Windows 10 Users v2r8 12/3/2023 8:24:54 PM 12/3/2023 8:08:41 PM
DoD WinSvr 2019 DC Users v2r8 12/3/2023 8:24:20 PM 12/3/2023 8:03:48 PM
DoD WinSvr 2019 MS Users v2r8 12/3/2023 8:24:12 PM 12/3/2023 8:19:01 PM
Disable Defender 12/3/2023 8:05:52 PM 4/30/2023 8:58:40 PM
Default Domain Controllers Policy 11/22/2023 1:44:32 AM 3/5/2023 10:58:28 PM
Default Domain Policy 3/5/2023 11:04:48 PM 3/5/2023 10:58:28 PM
Get .pol file and parse locally.
C:\Windows\SysVol\DOMAIN.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol
Output report and download/parse locally. Look for startup scripts.
#create HTLM report
Get-GPOReport -All -ReportType Html -Path "C:\Windows\Temp\GPOReport.html”

Startup scripts:
Computers|Users\Policies\Windows Settings\Scripts\Startup
Scheduled Task:
Computers|Users\Preferences\Control Panel Settings\Scheduled Tasks
Registry
GPO History:
HKLMSoftware\Microsoft\Windows\CurrentVersion\Group Policy\History
To list child OUs, you can run this command:
Get-ADObject -Filter 'objectClass -eq "organizationalUnit"' -SearchBase "distinguishedName of parent OU"
get GPO linked to OU and its child OU
Get-Module ActiveDirectory,GroupPolicy
$OU = “OU=test,DC=example,DC=local”
Get-ADOrganizationalUnit $OU
$LinkedGPOs = Get-ADOrganizationalUnit $OU | Select-object -ExpandProperty LinkedGroupPolicyObjects
$LinkedGPOGUIDs = $LinkedGPOs | ForEach-object{$_.Substring(4,36)}
$LinkedGPOGUIDs | ForEach-object {Get-GPO -Guid $_ | Select-object Displayname | Export-CSV C:\Users\Desktop\test4.txt -Append}
ADMX Files:
ADMX (and their associated, language-specific ADML files) are XML files that allow Group Policy to render UI within the Group Policy Editor, in the Administrative Templates namespace.

Hijacking ADMX:
Changing the location of the of the registry key will essentially hijack a registry key. If one were to change the location of the below "SyncForegroundPolicy" key to another location like "EnableLUA", then whenever the "SyncForegroundPolicy" key is disabled, then it would actual disable the "EnableLUA" key instead.
Gotcha's:
If one were to replace the ADMX files, you would need to manually modify the status of the GPO for it to take affect.
Once an ADMX file is hijacked there is no visual notification of it for the administrator who’s in GP Editor

Example:
<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">
<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>
ADMX Central Store Locations:
Workstations:
C:\Windows\PolicyDefinitions
Domain Controllers:
C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions
Attack:
If the attacker only has permissions to edit the ADMX file, modify the ADMX file and registry location of a key that is constantly switched.
If the attacker has permissions to edit ADMX files and modify the GPO, modify the file and then enable/disable for it to take affect.
Defense:
User's who can edit the ADMX Central Store should be Tier 0.
Monitor changes to the files and folders in the ADMX Central Store.
Last updated