Enumerate with GPOs

This script does the following

  1. Find the default age (in hours) for Kerberos tickets in the domain

  2. Find users and groups with SeEnableDelegationPrivilege on the DC (or DCs)

  3. Find what GPOs are applied to the DC

  4. Enumerates GPOs for workstations and servers

# import PowerView
Import-Module ..\PowerView.ps1

# domain Kerberos settings
$Settings = Get-DomainPolicyData -Policy 'Domain'
$Settings.KerberosPolicy

# who has SeEnableDelegationPrivilege over the DC
$Settings = Get-DomainPolicyData -Policy 'DomainController'
$Settings.PrivilegeRights

# what GPOs are applied to the domain controller
$DomainController = (Get-DomainController).Name
Get-DomainGPO -ComputerIdentity $DomainController

# enumerate all GptTmpl.inf settings for GPOs in the domain
Get-DomainGPO | Get-DomainPolicyData

# find any GPOs that modify local group memberships through GPOs
Get-DomainGPOLocalGroup

# to find what machines an "interesting" GPO applies to
Get-DomainGPO WorkstationGPO | %{Get-DomainOU -GPLink $_.Name} | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
Get-DomainGPO ServerGPO | %{Get-DomainOU -GPLink $_.Name} | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}

References:

PreviousEnumerate non-signed service binariesNextFind signed alternate PowerShell hosts

Last updated