Want a quick way to see what GPO's are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow. ?Use the following commands to see what policies are being handed down to the system you're on and what they're enforcing. ?This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you've compromised.
As security guys (and Linux/GNU fanboys), we tend to do absolutely everything possible via the commandline. This is pretty easy in Linux/Unix OS’s, but unfortunately we deal with a lot of Windows boxen in our line of work, where it is less than easy at times.
One common scenario we need to undertake is exporting all the GPO’s in a certain domain or forest for later analysis. For a small place this isn’t a big deal as there may only be a half dozen or so GPO’s applied, which equals out to several dozen clicks to export them. When the client is upwards of several thousand systems and has many OU’s and Sites defined, it can be common for there to be many hundreds of GPO’s applied. This is fairly standard for large healthcare organizations and hospitals, which we see frequently during HIPAA audits.
Thankfully Microsoft realizes that manually clicking around just doesn’t scale and they’ve provided a fair number of nice little scripts to accomplish menial tasks quickly. One of these tools is a glorious little item called ExportAllGPOs.wsf which is installed when Group Policy Management Console (GPMC) is installed. If you aren’t using GPMC yet to manage your GPO’s then you are needlessly causing yourself much pain and suffering. Go install GPMC now. GPMC runs on all current versions of Windows server and on Windows XP/Vista/7.
Using this script it’s possible to quickly export all GPO’s to HTML and XML. Here’s how:
Navigate to C:Program FilesGPMCScripts. Before running the script create a directory for the output to be saved to, here I’m using c:gpo. The directory has to exist or the script will fail. You also need to specify the full DNS name of the domain, e.g. mars.local works whereas just using mars will not.
Now run the following command.
cscript GetReportsForAllGPOs.wsf c:gpo /domain:mars.local
Output from running the command on my dev environment.
C:Program FilesGPMCScripts>cscript GetReportsForAllGPOs.wsf c:gpo /domain:mars.local Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. == Found 3 GPOs in mars.local Generating XML report for GPO 'Pasture.Rules' Generating HTML report for GPO 'Pasture.Rules' Generating XML report for GPO 'Default Domain Policy' Generating HTML report for GPO 'Default Domain Policy' Generating XML report for GPO 'Default Domain Controllers Policy' Generating HTML report for GPO 'Default Domain Controllers Policy' Report generation succeeded for 6 reports. Report generation failed for 0 reports.
This will export an HTML and an XML version of each GPO you have defined in your domain. Once they’ve been exported they can be manually viewed, or processed via further tools. I’ve cobbled together a bunch of scripts I use in order to easily parse large amounts of GPO’s and pull out the interesting data I’m looking for.