Group Policy Blog by Darren Mar-Elia (The “GPOGUY”)
Understanding Group Policy Behavior When a Computer or User is Moved in Active Directory
A question came up on Twitter the other day related to how Group Policy behaves on a given client, when you move either the computer or user account in Active Directory. As we know, the Group Policy that applies to a computer or user is a function of what GPOs are...
ADMX File for Troubleshooting Group Policy
Well, it's been a while since I last blogged, and this is one I've been wanting to write for a while. A few months ago I was trying to troubleshoot why a GPMC backup was throwing errors on Windows Server Core 2012 and 2016. I had installed the GPMC PowerShell module...
The Attack of the Trojan GPOs
The story of the Trojan Horse is well known to everyone who has taken a history class. True or not, the story goes that the Greeks, in an effort to finally sack the city of Troy, construct a giant wooden horse with some of their top soldiers hidden inside. They wheel...
Understanding Group Policy Privilege Escalation in CVE-2020-1317
Earlier this month, Microsoft released an advisory for CVE-2020-1317 which describes a privilege escalation vulnerability in Group Policy. This was further detailed by the discoverer of the vulnerability on the Cyberark website. The nature of this issue is interesting...
Quirks in Restricted Groups Policy on AD Groups
About a year ago, I posted about the perils of granting someone write access on the Active Directory Domain NC "head" object, and how you could use that and some quirks in Restricted Groups policy to essentially elevate your access in AD, just based on being able to...
Understanding the Registry Policy Archive File
One of the advantages of messing around with Group Policy since before it shipped, is that there is a lot of stuff rattling around in my head that I've been re-thinking in the context of today's modern threat landscape. This allows me to think about current day...
Hijacking Administrative Templates
As I think about Group Policy as a target for attackers, there are many obvious avenues to take advantage of a poorly protected GP infrastructure. I've written about many of these here:...
What Does Group Policy Do When It Can’t Contact a DC?
The title of this blog tells it all. I got asked the question--what happens to GP processing when a client machine isn't on the network and can't connect to it's domain Domain Controllers (DCs)? Does policy get removed? Does it just stay where it is? Can I temporarily...
Sending GPOs Down the Wrong Track–Redirecting the GPT
At this blog title implies, this is a bit of a science experiment. Many years ago I played around with this idea that, there is nothing in the GP infrastructure that REQUIRES you to use SYSVOL to store the settings files that compose most in-the-box policy areas. At...
Group Policy Security– Tinkering with External Paths
If you've been following this blog, you know that about 2 and half years ago, I started talking about Group Policy's precarious role in the typical enterprise's security posture. Many, if not most, AD shops use GP to perform security hardening on their Windows...