# Exploitation - GPO users rights

### Overview

GPO can be used to assign `users rights` on the computer objects they are applied to.

User rights fall into two general categories:

* `logon rights` which gives the rights to logon to the specified user and define the logon type.
* `privileges` that define a number of specific privileges on the computer object.

The `user rights` that can be used to gain access and/or compromise the computer objects they are applied to are detailed below. Reviewing these user rights can lead to more vectors of credentials re-use, notably if user rights are defined for one of the following group:

* `Everyone`, SID: `S-1-1-0`
* `Anonymous`, SID: `S-1-5-7`
* `Authenticated Users`, SID: `S-1-5-11`
* `Users`, SID: `S-1-5-32-545`
* `Domain Users`, SID: `S-1-5-<DOMAIN>-513`
* `Domain Computers`, SID: `S-1-5-<DOMAIN>-515`

### Find user rights assignments in GPO

**Resultant Set of Policy**

The Windows `gpresult` built-in utility can be used to compute the `Resultant Set of Policy (RSoP)` for the current, or specified user, on the local or a remote system. It can generate an `HTLM` report referencing the parameters effectively applied by `GPO` on the system.

The `users rights` assigned can be found in `Computer Details -> Windows Setting -> Local Policies/User Rights Assignment`.

```
# Generates the RSoP for the current user on the local system.
gpresult /H <REPORT_HTML>

# Generates the RSoP for the specified user on the local system.
gpresult /user <DOMAIN>\<USERNAME> /H <REPORT_HTML>

# Generates the RSoP for the current or specified user on the remote system (using the eventual given credentials).
gpresult [/u <RUN_AS_USER> /p <RUN_AS_USER_PASSWORD>] /s <HOSTNAME | IP> [/user <DOMAIN>\<USERNAME>] /H <REPORT_HTML>
```

**Domain wide enumeration**

The `Grouper2` C# application and `PingCastle`'s `healthcheck` can be used to enumerate user rights definition in the most sensible GPO.

```
Grouper2.exe -g -f <OUTPUT_HTML_FILE>
Grouper2.exe -d "<DOMAIN>" -u "<USERNAME>" -p "<PASSWORD>" -s "\\<DC_HOSTNAME | DC_IP>\SYSVOL" -g -f <OUTPUT_HTML_FILE>
```

All the GPOs in the domain can also be exported in an `HTML` or `XML` report using the PowerShell `GroupPolicy` module's `Get-GPOReport` cmdlet:

```
# Export all the GPO in the specified domain using the current security context.
# runas /Netonly should be used for enumeration from a non-domain joined computer.

Get-GPOReport -All -ReportType <HTML | XML> [-Domain <DOMAIN>] [-Server <DC_HOSTNAME | DC_IP>] -Path <OUTPUT_FILE_PATH>
```

A more manual search in all accessible GPO from the given privileges can be conducted directly in PowerShell:

```
# Conducting the search either from the current user context or using the specified credential
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL
net use Z: \\<DC_HOSTNAME | DC_IP>\SYSVOL <PASSWORD> /user:<DOMAIN>\<USERNAME>
Get-ChildItem -Path Z:\ -Recurse -Force | Select-String SeInteractiveLogonRight,SeRemoteInteractiveLogonRight,SeImpersonatePrivilege,SeAssignPrimaryPrivilege,SeTcbPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeCreateTokenPrivilege,SeLoadDriverPrivilege,SeTakeOwnershipPrivilege,SeDebugPrivilege
net use Z: /delete
```

`PowerView` can be used to find where exploitable GPO are linked and **possibly** applied. Note: GPO can be linked to an OU but not necessarily applied, as an OU can `blocks inheritance` on an not `enforced` GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.

```
Get-DomainOU -GPLink "<GPO_GUID>" | ForEach-Object {
    Get-DomainComputer -SearchBase "LDAP://$($_.distinguishedname)" | Ft Name
}
```

### User rights exploitation

**Logon rights**

The following logon rights can be defined to allow an user to logon onto the computer:

| Right                           | Description                                      | Exploitation technique                     |
| ------------------------------- | ------------------------------------------------ | ------------------------------------------ |
| `SeInteractiveLogonRight`       | Allows a user to connect locally on the computer | Require a physical access to the computer. |
| `SeRemoteInteractiveLogonRight` | Allow logon through Terminal Services            | Interactive logon using a RDP client.      |

Note that the `SeNetworkLogonRight` allows a user to access the exposed shares on the computer (under restrictions of the shares and NTFS permissions) but is not sufficient by itself to remotely execute commands.

The `SeServiceLogonRight` is not directly exploitable neither as only users with administrative privileges can install and configure services.

The `SeBatchLogonRight` alone can not be used to remotely create and run scheduled tasks.

**Privileges**

The following privilege tokens can be used to locally elevate privileges to `NT AUTHORITY\SYSTEM`:

* `SeImpersonatePrivilege`
* `SeAssignPrimaryPrivilege`
* `SeTcbPrivilege`
* `SeBackupPrivilege`
* `SeRestorePrivilege`
* `SeCreateTokenPrivilege`
* `SeLoadDriverPrivilege`
* `SeTakeOwnershipPrivilege`

The `SeDebugPrivilege` privilege can be used as well to directly dump the `LSASS` process.

Note that the exploitation of those privilege tokens Refer to the `[Windows] Local privilege escalation` for more information on how to exploit those privilege tokens.

***

### References

<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457125(v=technet.10)?redirectedfrom=MSDN>

<https://adsecurity.org/?p=3658>

<https://wald0.com/?p=179>

<https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/>

<https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas\\_Bouillot\\_et\\_Emmanuel\\_Gras\\_-\\_Chemins\\_de\\_controle\\_Active\\_Directory.pdf>

<https://labs.f-secure.com/tools/sharpgpoabuse>

<https://blogs.technet.microsoft.com/musings\\_of\\_a\\_technical\\_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/active-directory/exploitation-gpo_users_rights.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.