For the best web experience, please use IE11+, Chrome, Firefox, or Safari

How Insecure GPOs Create Real Attack Paths in AD

All It Takes is One Account: Using Insecure Group Policy Objects to Demonstrate Real Attack Paths in AD
On Demand
  • Recorded Date:Mar. 10, 2022
  • Event:On Demand
All It Takes is One Account: Using Insecure Group Policy Objects to Demonstrate Real Attack Paths in AD

When you analyze major breaches, it invariably comes down to a single vulnerability that was the major break the attacker needed to really bring off the attack. Often that break is about obtaining access to a single account and then elevating access to an account with more access. In a typical AD environment that has accreted objects, accounts, entitlements, and other complexity over decades it turns out that many accounts have been delegated privileged access in Active Directory and attackers can take advantage of those permissions.

This opens an abundance of attack paths in AD, but in this on-demand webcast, AD and Windows security expert Randy Franklin Smith will zero in on one example: Edit permissions on a group policy object. If that doesn’t sound like a powerful sort of privileged access, you need to understand this: Having edit access to a GPO effectively gives you administrator authority to all the computers that apply that GPO. This session demonstrates more than one way to prove that claim.

Then the session will explore the security controls available in Windows and Active Directory that control who can make changes to group policy objects, as well as group policy related attributes on other objects like Organizational Units and Domain roots. The latter is an important point because changing the gpLink or gpOptions attribution on an OU can be just as disruptive as editing an actual GPO.

So, it’s important to carefully manage the security of:

• Group Policy Creator Owners group
• The GPO itself
• The System/Policies folder in AD
• The sysvol folder on domain controllers
• The gpLink and gpOptions attributes on the domain root and organizational units

After an introduction to group policy access control and why it’s so important, Quest’s Bryan Patton will demonstrate a very realistic attack path involving one account that was delegated access to group policy and how practically the whole domain can be taken over by compromising that one account.

In addition, we’ll hear from Andy Robbins, whose background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. He is also co-creator of SpecterOps BloodHound and he will briefly show you how Attack Path Management technology continuously maps and quantifies Active Directory Attack Paths – millions of them.


  • Randy Franklin SmithActive Directory security expert
  • Bryan Patton, Principal Strategic Systems Consultant, Quest
  • Andy Robbins, Active Directory security expert

Watch Your Free Webcast

Please wait...

triangle-down check
By downloading, you are registering to receive marketing email from us. To opt-out, follow steps described in our Privacy Policy.

reCAPTCHA protects this site. See Google's Privacy Policy and Terms of Use.