Group Policy Objects (GPOs) act as a security layer in your infrastructure. They enforce rules, regulate permissions, and affect policies across the network. Do you want to assign additional privileges to certain groups? Delete a security group? Modify password policies across the network? Prevent software installations on critical systems? All of these and more can be accomplished using GPOs.
What exactly are GPOs?
Instead of adding to the many definitions you could find online for GPOs, let’s understand GPOs using a simple example: In a theater play, the characters in the play are scripted, and early on a set of traits are associated with each character. The actors adhere to the character traits defined in the script.
Likewise, in an AD environment, every GPO will have a collection of policies, rules, and access permissions defined. Every AD object is linked to each of these GPOs to incorporate the access policies defined for the GPOs. How an AD object behaves within an infrastructure reflects directly on the GPOs they are linked to.
GPO challenges over the generations
GPOs have been around for a long time. Organizations strive to ensure GPO policies are stringent and untouched to bolster security across an infrastructure. Here are a few questions to answer about how GPOs are configured across your infrastructure:
-
How many GPOs does my organization have?
-
Are my AD objects linked to the right GPOs?
-
Which AD object is linked to which GPO?
-
Are there any empty GPOs? What do I do with them?
-
Are my GPOs missing any permissions?
-
Are any crucial GPO files missing?
Let’s figure out how to approach these issues:
The list of GPOs and their linked AD objects
To identify the number of GPOs in your infrastructure and the AD objects linked to them, enter the following PowerShell query:
Import-Module GroupPolicy Get-GPO -All | Where-Object { $_ | Get-GPOReport -ReportType HTML | Select-String “<LinksTo>” }.
With the resulting list, you can identify the AD objects and their linked GPOs. This would help you determine if the objects are assigned to the right GPOs and if they have been assigned to only the necessary privileges within the network.
The list of unused GPOs
To identify empty and unused GPOs in your infrastructure, enter the following PowerShell query:
Get-GPO -All |Where-Object { $_ | Get-GPOReport -ReportType XML| Select-String -NotMatch “<LinksTo>” } | export-csv -path C:\Users\Administrator\Documents\Scripts\hello1.cs
The list of unused and empty GPOs will help you clean up the GPOs. Utmost care must be taken while deleting or modifying GPOs as the changes made will reflect across your infrastructure in a matter of seconds. You must track the old and new values of the GPO attributes that you modify to ensure that you can revoke any unwanted changes made to the GPOs.
GPOs with missing permissions
If a few GPOs within your environment don’t have certain essential permissions configured, this could lead to security vulnerabilities. To identify GPOs with missing permissions, you can use the following command:
$MissingPermissions = Get-WinADGPOMissingPermissions -Mode Either
This command scans all the forests and domains and returns the GPOs with broken permissions.
Missing GPO files within crucial directories
A few GPO files that must reside in the SYSVOL directory for seamless network operations might be missing. These files must be present within the SYSVOL directory. For example, if the Default Domain Policy or Default Domain Controller Policy files are missing and you have also lost their backups, the dcgpofix command can be used to restore both policies to their default settings.
Regularly checking GPO settings to weed out vulnerabilities is essential to thwart GPO-based attacks. If you’re interested in learning about GPO misconfigurations that could leave your organization vulnerable to attacks, watch this exclusive webinar on 7 GPO misconfigurations to rectify under 30 mins to keep GPO attacks at bay.