Talk to a Security Expert Now: (800) 721-9177

Viewing GPO’s on the Commandline

Want a quick way to see what GPO’s are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow. ?Use the following commands to see what policies are being handed down to the system you’re on and what they’re enforcing. ?This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you’ve compromised. It can also be very valuable during a vulnerability assessment to spot-check policies being passed down from the domain or forest a workstation is a member of.

Open a command prompt and enter the following command to see all GPO’s that are being applied to your system:

gpresult

This will show the most basic output

C:Documents and Settingsbilly>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2011 at 3:24:13 PM

RSOP results for MARSbilly on EARTH : Logging Mode
----------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 MARS
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:Documents and Settingsbilly
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=EARTH,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTINAdministrators
        Everyone
        NT AUTHORITYAuthenticated Users

USER SETTINGS
--------------
    CN=Billy,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTINUsers
        NT AUTHORITYINTERACTIVE
        NT AUTHORITYAuthenticated Users
        LOCAL

To see additional detail including the specific settings within the applied GPO’s use the following command

gpresult /z
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2011 at 3:35:13 PM

RSOP results for MARSbilly on EARTH : Logging Mode
----------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 MARS
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:Documents and Settingsbilly
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=EARTH,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTINAdministrators
        Everyone
        NT AUTHORITYAuthenticated Users

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

        Audit Policy
        ------------
            GPO: Pasture.Rules
                Policy:            AuditPolicyChange
                Computer Setting:  Success

            GPO: Pasture.Rules
                Policy:            AuditDSAccess
                Computer Setting:  Success, Failure

            GPO: Pasture.Rules
                Policy:            AuditAccountLogon
                Computer Setting:  Success, Failure

            GPO: Pasture.Rules
                Policy:            AuditAccountManage
                Computer Setting:  Success

            GPO: Pasture.Rules
                Policy:            AuditLogonEvents
                Computer Setting:  Success, Failure

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Good.Goats
                Policy:            EnableGuestAccount
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

USER SETTINGS
--------------
    CN=Billy,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTINUsers
        NT AUTHORITYINTERACTIVE
        NT AUTHORITYAuthenticated Users
        LOCAL

    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Good.Goats
                Setting: SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwareMicrosoftWindowsCurrentVersionPoliciesUninstall
                State:   Enabled

            GPO: Pasture.Rules
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
                State:   Enabled

            GPO: Pasture.Rules
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Pasture.Rules
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Pasture.Rules
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwarePoliciesMicrosoftWindowsControl PanelDesktop
                State:   Enabled

            GPO: Good.Goats
                Setting: SoftwareMicrosoftWindowsCurrentVersionPoliciesUninstall
                State:   Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

Data of particular interest to an attacker is output of the security group information, which lists what security groups the user account you’re logged in as belongs to.

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTINUsers
        NT AUTHORITYINTERACTIVE
        NT AUTHORITYAuthenticated Users
        LOCAL

In this example the user is just a member of the default groups and is fairly restricted.
Other information of note is the output of Account Policies which lists what password policies are in effect for the workstation as well as the domain. This can help gauge what type of password guessing you can perform against other machines on the domain without locking accounts out.

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

All of this data can be accessed as a normal, limited user account and reveals a wealth of information about the configuration of the domain which the machine is joined to. This info can aid greatly in a pentesters quest to gain further access into the network.

Leave a Reply

Your email address will not be published. Required fields are marked *