A few months ago, Skip Duckwall asked me if it was possible, through PowerView, to enumerate what organizational units a particular group policy Globally Unique Identifier (GUID) applied to. Say you have a GUID from a Group Policy Object (e.g. from the results of PowerSploit’s Get-GPPPassword). Knowing exactly what OUs (and then what machines) this policy applies to can really help speed up lateral spread! This is something I wished I had thought of, and I quickly integrated the functionality into PowerView. This post covers a quick demonstration of this new approach using PowerView’s recent 2.0 rewrite.
When you run Get-GPPPassword, you’ll get output like this (screenshot stolen directly from @obscuresec‘s blog post on the subject):
You’ll see in the File path returned includes the GUID for the policy (in this case “{31B2F340-016D-11D2-945F-00C04FB984F9}”). In PowerView 2.0, you can now take that GUID and easily enumerate the OUs it’s applied to by running Get-NetOU -GUID <GPP_GUID> (this just queries for OU objects with a matching GUID in the gPLink attribute). We can then take those OU results and feed them into Get-NetComputer by running Get-NetComputer -ADSpath <OUPath>. This will return all of the computer names in Active Directory that have the policy applied through an OU, and therefore have a local administrator password set to the discovered GPP values!
If you want complete computer objects/information, you can use the -FullData flag with Get-NetComputer. The -FullData also works with Get-NetOU if you would like more complete OU information. Here’s how it can look all in a single one-liner to get all machines a particular GPP GUID (like the one in our example) applies to:
Get-NetOU -GUID "{31B2F340-016D-11D2-945F-00C04FB984F9}" | %{ Get-NetComputer -ADSPath $_ }
The newly christened Get-NetSite function, which returns the current sites for a domain, also accepts the -GUID filtering flag. This functionality has definitely saved us time on a few engagements, and hopefully others find it of use.