What is Group Policy?
Group Policy is the Active Directory feature for centrally managing configuration and security settings on Windows users and computers. Learn what it does and how attackers abuse it.
What is Group Policy?
Definition
Group Policy is the Active Directory feature for centrally managing configuration and security settings on Windows users and computers. Settings are packaged as Group Policy Objects (GPOs) and applied to users or computers based on their location in the directory (sites, domains, OUs).
In simple terms:
Group Policy is how administrators configure thousands of Windows machines from one place — and how attackers can take them all over from one place.
Why Group Policy Matters
- GPOs apply at every Windows logon and refresh periodically.
- GPOs can run scripts, install software, change registry, modify firewall rules, deploy scheduled tasks, and configure security settings.
- A single GPO can affect every domain-joined endpoint.
- Compromising GPOs is one of the fastest ways for attackers to deploy ransomware enterprise-wide.
How Group Policy Works
Components
- GPO — collection of settings stored partly in AD (
gPLink,gPOptions) and partly in SYSVOL. - Group Policy Container (GPC) — AD object describing the GPO.
- Group Policy Template (GPT) — files in
\\<domain>\SYSVOL\<domain>\Policies\<GUID>\. - Client Side Extensions (CSEs) — apply specific setting types on the endpoint.
Application
GPOs apply in LSDOU order:
- Local policy
- Site-linked GPOs
- Domain-linked GPOs
- Organizational Unit-linked GPOs (top-down)
Settings later in the chain win unless Enforced or Block Inheritance modifies behavior.
Filtering
- Security filtering — apply only to specific users/groups/computers.
- WMI filtering — apply based on machine attributes.
- Item-level targeting — Group Policy Preferences fine-grained targeting.
Common Group Policy Uses
Security Settings
- Password and lockout policy
- User Rights Assignments
- Audit policy
- Firewall rules
- AppLocker / WDAC
- BitLocker enforcement
- SMB signing, LDAP signing
- Disable legacy protocols (NTLMv1, SMBv1)
Configuration
- Drive mappings
- Printer deployment
- Scheduled tasks
- Software installation (legacy)
- Internet Explorer / Edge settings
- Power management
- Logon scripts
Endpoint Hardening Baselines
- Microsoft Security Baselines
- CIS Benchmarks
- DISA STIGs
How Attackers Abuse GPOs
1. Direct GPO Modification
If an attacker has write access to a GPO that applies to many systems (or to Tier 0), they can:
- Add a scheduled task that runs malware on every endpoint.
- Add a User Rights Assignment putting an attacker SID into Local Administrators.
- Change firewall rules to allow C2.
- Push a malicious logon script.
2. SYSVOL Tampering
GPO files live in SYSVOL. Write access to SYSVOL allows tampering with policies even without modifying AD objects.
3. GPP cPassword (Legacy)
Older Group Policy Preferences stored credentials in SYSVOL with a known-static encryption key. Any domain user could read and decrypt them. Microsoft patched this, but stale GPPs sometimes remain.
4. Ransomware Deployment
Conti, BlackBasta, LockBit, and many others have used GPOs (or PsExec via DCs) to deploy ransomware enterprise-wide in minutes after gaining Domain Admin.
5. ACL Backdoors
Subtle ACL grants on GPO objects (often delegated to a help desk group) can be invisible in default views but allow GPO modification.
Real-World Examples
1. Ransomware via GPO
After reaching Domain Admin, attackers create or modify a GPO linked to all OUs containing servers. The GPO deploys a scheduled task that downloads and executes ransomware at next refresh — encrypting thousands of servers within hours.
2. Privilege Escalation via Misdelegated GPO
A help desk group has been delegated edit on a GPO that applies to Tier 0 systems. The help desk doesn't realize this; an attacker who compromises a help desk account inherits the path.
3. Stale GPP cPassword
A 10-year-old GPO contains GPP-stored credentials with cPassword. Any domain user can decrypt to a local admin password still in use on hundreds of legacy machines.
4. Tier-Crossing GPO Link
A Tier 1 admin can edit a GPO that, due to OU restructuring years earlier, also applies to a Tier 0 OU. Their account is now effectively Tier 0.
Group Policy Best Practices
- Restrict GPO edit and link rights strictly.
- Apply Tier 0 GPOs only from Tier 0 OUs edited by Tier 0 admins.
- Audit GPO ACLs regularly. Look for unintended Write/AllExtendedRights/WriteDACL.
- Audit GPO links — which OUs do critical GPOs target?
- Remove GPP cPassword entirely; rotate any passwords that were stored.
- Use LAPS instead of GPP-managed local admin passwords.
- Monitor SYSVOL for unexpected file changes.
- Backup GPOs and SYSVOL.
- Document each GPO's purpose and owner.
- Decommission stale GPOs.
- Sign and validate scripts referenced from GPOs.
- Use SCM / Security Baselines for hardening rather than ad-hoc GPOs.
- Detect GPO changes via Event ID 5136, 5137, 5138, 5139, 5141.
Group Policy Security Checklist
- GPO edit/link rights minimized?
- All GPO ACLs audited; unexpected grants removed?
- GPP cPassword usage eliminated?
- LAPS deployed instead of legacy GPP local admin?
- Tier 0 GPOs isolated and protected?
- GPO links to Tier 0 OUs reviewed?
- SYSVOL monitored for unexpected changes?
- GPO change events monitored in SIEM?
- Stale GPOs removed?
- GPO backups and recovery tested?
How Forestall Helps
Forestall analyzes GPO objects, ACLs, links, and effective scope to surface:
- GPOs that could push code to Tier 0.
- Identities with effective edit rights, including via nested groups and delegated permissions.
- Stale GPP cPassword instances.
- Unexpected ACL drift over time.
- Attack paths that traverse GPO modification rights.
Frequently Asked Questions
Is Group Policy still used in cloud-managed environments?
Yes, on-premises Windows still relies heavily on GPOs. Hybrid environments often use Intune for cloud-joined and GPO for domain-joined.
Can GPOs apply to non-Windows systems?
Not natively. Group Policy is a Windows feature.
What replaces GPO in modern Windows?
Microsoft Intune (MDM) for cloud-joined endpoints; on-premises AD environments still rely heavily on GPO.
How fast does a GPO change take effect?
By default, every 90 minutes (with a random offset) or at next logon. gpupdate /force applies immediately.
What's the most dangerous GPO setting?
User Rights Assignments (especially SeDebugPrivilege, Local Administrators) and GPO scripts/scheduled tasks — they enable code execution.
Conclusion
Group Policy is enormously powerful — and that power makes it a top-tier security concern. Strict control over GPO edit and link rights, careful Tier 0 isolation, removal of legacy GPP cPassword, and continuous monitoring of GPO ACLs and SYSVOL are essential. Treat GPOs the way you treat your most sensitive deployment pipeline: limited writers, signed artifacts, monitored changes, and reversibility.
Find every GPO that can compromise Tier 0.
Forestall maps GPO permissions and effective scope — surfacing GPOs that could push code to your most critical systems.