Want a quick way to see what GPO’s are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow. Use the following commands to see what policies are being handed down to the system you’re on and what they’re enforcing. This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you’ve compromised. It can also be very valuable during a vulnerability assessment to spot-check policies being passed down from the domain or forest a workstation is a member of.
Open a command prompt and enter the following command to see all GPO’s that are being applied to your system:
gpresult
This will show the most basic output
C:\Documents and Settings\billy>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/26/2011 at 3:24:13 PM
RSOP results for MARS\billy on EARTH : Logging Mode
----------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: MARS
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\billy
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=EARTH,OU=Goats,DC=mars,DC=local
Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
Group Policy was applied from: phobos.mars.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Pasture.Rules
Good.Goats
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
USER SETTINGS
--------------
CN=Billy,OU=Goats,DC=mars,DC=local
Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
Group Policy was applied from: phobos.mars.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Pasture.Rules
Good.Goats
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
To see additional detail including the specific settings within the applied GPO’s use the following command
gpresult /z
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/26/2011 at 3:35:13 PM
RSOP results for MARS\billy on EARTH : Logging Mode
----------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: MARS
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\billy
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=EARTH,OU=Goats,DC=mars,DC=local
Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
Group Policy was applied from: phobos.mars.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Pasture.Rules
Good.Goats
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
Resultant Set Of Policies for Computer:
----------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 1
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 30
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 7
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 5
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
Audit Policy
------------
GPO: Pasture.Rules
Policy: AuditPolicyChange
Computer Setting: Success
GPO: Pasture.Rules
Policy: AuditDSAccess
Computer Setting: Success, Failure
GPO: Pasture.Rules
Policy: AuditAccountLogon
Computer Setting: Success, Failure
GPO: Pasture.Rules
Policy: AuditAccountManage
Computer Setting: Success
GPO: Pasture.Rules
Policy: AuditLogonEvents
Computer Setting: Success, Failure
User Rights
-----------
N/A
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Good.Goats
Policy: EnableGuestAccount
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Billy,OU=Goats,DC=mars,DC=local
Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
Group Policy was applied from: phobos.mars.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Pasture.Rules
Good.Goats
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Resultant Set Of Policies for User:
------------------------------------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Good.Goats
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled
GPO: Good.Goats
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
State: Enabled
GPO: Pasture.Rules
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Good.Goats
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Good.Goats
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Good.Goats
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
State: Enabled
GPO: Pasture.Rules
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Pasture.Rules
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Pasture.Rules
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Good.Goats
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled
GPO: Good.Goats
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
State: Enabled
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
----------------------------------------
N/A
Internet Explorer Connection
----------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
Data of particular interest to an attacker is output of the security group information, which lists what security groups the user account you’re logged in as belongs to.
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
In this example the user is just a member of the default groups and is fairly restricted.
Other information of note is the output of Account Policies which lists what password policies are in effect for the workstation as well as the domain. This can help gauge what type of password guessing you can perform against other machines on the domain without locking accounts out.
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 1
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 30
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 7
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 5
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
All of this data can be accessed as a normal, limited user account and reveals a wealth of information about the configuration of the domain which the machine is joined to. This info can aid greatly in a pentesters quest to gain further access into the network.