Group Policy
Status: Scaffold — content in progress
Group Policy Objects (GPOs) are AD objects that define configuration settings applied to users and computers in OUs, sites, or domains. They are a critical security configuration mechanism — and an attacker target.
GPO Structure
GPO
├── Computer Configuration
│ ├── Windows Settings (Security Settings, Scripts)
│ └── Administrative Templates
└── User Configuration
├── Windows Settings
└── Administrative Templates
GPOs are stored in SYSVOL and applied via the Group Policy Client Service.
Application Order (LSDOU)
Local → Site → Domain → OU (child OUs override parent). "Last applied wins" for most settings.
Security-Relevant GPO Settings
| Category | Setting | ITDR Relevance |
|---|---|---|
| Audit Policy | Audit Logon Events, Account Logon | Enables Event IDs 4624, 4768 etc |
| Password Policy | Minimum length, complexity, lockout | Attack surface sizing |
| NTLM Restrictions | LAN Manager auth level | Disable NTLMv1/LM |
| LSA Protection | RunAsPPL | Protects LSASS from credential dumping |
| Credential Guard | EnableVirtualizationBasedSecurity | Isolates NTLM hashes |
| AppLocker / WDAC | Allowed executables | Blocks attacker tooling |
| Restricted Groups | Local admin membership | Prevent lateral movement |
GPO-Based Attacks
| Attack | Requirement | Impact |
|---|---|---|
| GPO modification | WriteDACL/GenericWrite on GPO or OU | Deploy malicious policy to all linked objects |
| Immediate scheduled task via GPO | CreateChild on OU | Execute code on all machines in scope |
| Startup script via GPO | Write access to SYSVOL/GPO | Persistent code execution |
Telemetry
| Event ID | Description |
|---|---|
| 5136 | AD object modified (GPO change) |
| 5137 | AD object created |
| 4670 | Permissions changed on object |
| 4662 | GPO object access (requires auditing) |
Cross-Links
| Topic | Link |
|---|---|
| AD Overview | ad-overview |
| ACL Abuse | acl-abuse |