Get-DomainGPOUserLocalGroupMapping

SYNOPSIS

Enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation. If no user/group is specified, all discoverable mappings are returned.

Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup

SYNTAX

Get-DomainGPOUserLocalGroupMapping [[-Identity] <String>] [-LocalGroup <String>] [-Domain <String>]
 [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
 [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

DESCRIPTION

Takes a user/group name and optional domain, and determines the computers in the domain the user/group has local admin (or RDP) rights to.

It does this by: 1. resolving the user/group to its proper SID 2. enumerating all groups the user/group is a current part of and extracting all target SIDs to build a target SID list 3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling Get-DomainGPOLocalGroup 4. matching the target SID list to the queried GPO SID list to enumerate all GPO the user is effectively applied with 5. enumerating all OUs and sites and applicable GPO GUIs are applied to through gplink enumerating 6. querying for all computers under the given OUs or sites

If no user/group is specified, all user/group -> machine mappings discovered through GPO relationships are returned.

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

Find-GPOLocation

Find all user/group -> machine relationships where the user/group is a member of the local administrators group on target machines.

-------------------------- EXAMPLE 2 --------------------------

Find-GPOLocation -UserName dfm -Domain dev.testlab.local

Find all computers that dfm user has local administrator rights to in the dev.testlab.local domain.

-------------------------- EXAMPLE 3 --------------------------

Find-GPOLocation -UserName dfm -Domain dev.testlab.local

Find all computers that dfm user has local administrator rights to in the dev.testlab.local domain.

-------------------------- EXAMPLE 4 --------------------------

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainGPOUserLocalGroupMapping -Credential $Cred

PARAMETERS

-Identity

A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) for the user/group to identity GPO local group mappings for.

Type: String
Parameter Sets: (All)
Aliases: DistinguishedName, SamAccountName, Name

Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False

-LocalGroup

The local group to check access against. Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), or a custom local SID. Defaults to local 'Administrators'.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False

-Domain

Specifies the domain to enumerate GPOs for, defaults to the current domain.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SearchBase

{{Fill SearchBase Description}}

Type: String
Parameter Sets: (All)
Aliases: ADSPath

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Server

Specifies an Active Directory server (domain controller) to bind to.

Type: String
Parameter Sets: (All)
Aliases: DomainController

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SearchScope

Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: Subtree
Accept pipeline input: False
Accept wildcard characters: False

-ResultPageSize

Specifies the PageSize to set for the LDAP searcher object.

Type: Int32
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: 200
Accept pipeline input: False
Accept wildcard characters: False

-ServerTimeLimit

Specifies the maximum amount of time the server spends searching. Default of 120 seconds.

Type: Int32
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-Tombstone

Switch. Specifies that the searcher should also return deleted/tombstoned objects.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-Credential

A [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain.

Type: PSCredential
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False

OUTPUTS

• PowerView.GPOLocalGroupMapping

A custom PSObject containing any target identity information and what local group memberships they're a part of through GPO correlation.

• http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/