Group Policy Preferences

What are Group Policy Preferences?

While not used anymore due to the security risk they present GPP was used to embed user credentials into Group Policy Objects. This allowed for changes that required Admin credentials to be applied much easier. For example, mapping drives, creating local admin accounts, schedule tasks etc. All was well and good until the key to decrypt GPP stored credentials was leaked and allowed any attacker with access to the domain controller the ability to trivially decrypt administrator passwords used in GPP. Microsoft issued a patch however this only prevented new GPPs being created and does not remove GPPs prior to the patch.

Accessing the stored GPP credentials

GPP stores the encrypted credentials in C:\Windows\Sysvol\ in a file name Groups.xml. SYSVOL is readable by any user on the domain. The encrypted value is stored under cPassword in the Groups.xml file.

Decrypting with a tool called GPP-Decrypt:

Metasploit Module

Metasploit simplifies this process even further by including a post exploitation module to do the work for us.