Book a Pentest

Group Policy Preferences (GPP) Passwords in SYSVOL

Description

Legacy Group Policy Preferences (GPP) allowed administrators to configure local users, services, and scheduled tasks using credentials stored in XML files on SYSVOL. These passwords are “encrypted” with a public, well‑known key (cpassword field), making them effectively cleartext for any domain user who can read SYSVOL. Even though Microsoft deprecated updating these passwords (MS14‑025), many environments still contain old GPP XML files exposing reusable local admin or service account credentials.

Examples

Search SYSVOL for GPP cpassword Entries

From a domain‑joined host, search for GPP XML files containing cpassword:

Get-ChildItem '\\corp.local\SYSVOL' -Recurse -Include *.xml -ErrorAction SilentlyContinue |
  Select-String -Pattern 'cpassword' |
  Select-Object Path,LineNumber,Line

Note any XML under Preferences folders (e.g., ScheduledTasks, Services, Drives, Users) that still contain cpassword.

Identify Accounts Exposed via GPP

Inspect matching XML files to determine which accounts are exposed:

Get-ChildItem '\\corp.local\SYSVOL' -Recurse -Include *.xml -ErrorAction SilentlyContinue |
  Select-String -Pattern 'cpassword' |
  ForEach-Object {
    [xml]$x = Get-Content $_.Path
    $x.DocumentElement.User | Select-Object name,changed,uid
  }

Even if passwords are rotated, the presence of decrypted values in historical backups or logs can provide attackers with reusable credentials.

Assess Blast Radius of Exposed Accounts

Determine where the exposed accounts are used:

Get-ADUser -Identity 'svc_gpp_localadmin' -Properties MemberOf,ServicePrincipalName |
  Select-Object SamAccountName,MemberOf,ServicePrincipalName

Local admin accounts deployed via GPP often share passwords across many machines, enabling rapid lateral movement if recovered.

Remediation

  1. Remove GPP passwords from SYSVOL
    • Delete or replace any GPP XML that contains cpassword.
    • Use supported mechanisms (e.g., LAPS, gMSA, secure deployment tooling) instead of embedding credentials.
  2. Rotate impacted credentials
    • Immediately change passwords for any accounts historically managed by GPP.
    • Where possible, replace shared local admin passwords with per‑device managed secrets (e.g., LAPS).
  3. Harden and monitor SYSVOL
    • Ensure SYSVOL permissions follow Microsoft guidance and are regularly reviewed.
    • Monitor for new cpassword occurrences or unexpected XML changes in SYSVOL.