Group Policy Objects
Group Policy lets administrators push security settings, software installs, and configurations to thousands of machines at once. It is both a powerful defense tool and a juicy attack target.
Group Policy is a system that lets administrators set rules for users and computers across the entire network from one central place. Instead of walking to every computer to change a setting, an admin can create a Group Policy Object (GPO) that says something like "all computers must require passwords of at least 12 characters," and that rule automatically applies to every computer in the domain or just to a specific group. GPOs are stored partly in Active Directory and partly on a shared folder called SYSVOL that every domain controller hosts. When a computer starts up or a user logs in, it checks for new or updated policies and applies them.
Imagine the CEO sends out a memo that says "All office doors must be locked after 6 PM." That memo applies to every building in the company. Department heads can add their own rules on top (like "Marketing must also lock filing cabinets"). Group Policy works the same way: policies cascade from the top of the AD hierarchy down to individual OUs, and lower-level policies can add to or override higher-level ones.
Key Takeaways
- GPOs push security settings and configurations to users and computers at scale.
- Processing order is LSDOU: Local, Site, Domain, OU.
- SYSVOL stores GPO templates and is readable by all domain users.
- GPP passwords (MS14-025) remain a common finding in legacy environments.
- An attacker with write access to a GPO can achieve code execution across the domain.
Group Policy is one of the most powerful management tools in AD -- and one of the most dangerous when misconfigured. GPO abuse is a well-known lateral movement and persistence technique.