GPO Security Filtering

GPO Security Filtering

This article will show you how to do a complete analysis of GPO security filtering using PowerShell.

If you’re looking for a complete description about how GPO security filtering works go to this section.

Security filtering of a GPO allows you to limit what users or computers are hit by the GPO settings and allows you to delegate the administration of the GPO.

To target a user or computer you must assign Read and Apply permissions to the user/computer or a group of which they are member. These rights are normally assigned to authenticated users so remove these default rights to limit who’s targeted.

In this article we’ll have a look at how to get an overview of the security filtering on all of your GPO’s. PowerShell and Excel is all you need.

(If you’re looking for information on OU security filtering have a look at this article).

Get GPO Permissions with PowerShell

In order to list all GPO’s in your domain, use the following PowerShell command:

$GPOs = Get-GPO -Al

You’ll need to have the GroupPolicy PowerShell module available on your system: Install RSAT on your Windows client or use the Install-WindowsFeature command on your server if you don’t have it already.

With a firm grip on all your GPO objects you can run the following PowerShell command to see the access rights:

$ACLs = Get-GPPermission -Guid $GPO.Id -All

Since several access rights are configured for each GPO you’ll have to iterate these as well.

In order to get a decent overview of the security settings of your GPO’s I suggest to get the following information:

  • GPO name
  • GPO GUID
  • Trustee
  • Rights assigned to trustee
  • Trustee type
  • Owner

With that information inserted into Excel you should be able to quickly identify any custom settings on your environment.

The complete script to get you this information is listed here:

# Set up output file
$File = "GPO_Delegation.txt"
"Name;GUID;ID;Rights;Type;Owner" | Out-File $File
# Import GPO module
Import-Module GroupPolicy
# Get all GPO's in the domain
$GPOs = Get-GPO -All
$Result = @()
ForEach($GPO In $GPOs){
    # Get ACL of GPO
    $ACLs = Get-GPPermission -Guid $GPO.Id -All
    ForEach($ACL in $ACLs){
        # Objectify the result for easier handling
        $Properties = @{
            ACL = $ACL
            GPO = $GPO
        }
        $Result += New-Object psobject -Property $Properties
    }
}
ForEach ($Item In $Result){
    $Output = $Item.GPO.DisplayName + ";" + $Item.GPO.Id + ";" + $Item.ACL.Trustee.Name + ";" + $Item.ACL.Permission + ";" + $Item.ACL.Trustee.SidType + ";" + $Item.GPO.Owner
    $Output | Out-File $File -Append
    Write-Host $Output
}

It’s only a couple of lines of code that does the actual work. The rest is about formatting the result for easy import to Excel.

The script will generate output similar to the following:

Default Domain Policy;31b2f340-016d-11d2-945f-00c04fb984f9;Domain Admins;GpoCustom;Group;GIGACORP\Domain Admins
Default Domain Policy;31b2f340-016d-11d2-945f-00c04fb984f9;Enterprise Admins;GpoCustom;Group;GIGACORP\Domain Admins
Default Domain Policy;31b2f340-016d-11d2-945f-00c04fb984f9;SYSTEM;GpoEditDeleteModifySecurity;WellKnownGroup;GIGACORP\Domain Admins
Default Domain Policy;31b2f340-016d-11d2-945f-00c04fb984f9;Authenticated Users;GpoApply;WellKnownGroup;GIGACORP\Domain Admins
Default Domain Policy;31b2f340-016d-11d2-945f-00c04fb984f9;ENTERPRISE DOMAIN CONTROLLERS;GpoRead;WellKnownGroup;GIGACORP\Domain Admins
Default Domain Controllers Policy;6ac1786c-016f-11d2-945f-00c04fb984f9;Domain Admins;GpoCustom;Group;GIGACORP\Domain Admins
Default Domain Controllers Policy;6ac1786c-016f-11d2-945f-00c04fb984f9;Enterprise Admins;GpoCustom;Group;GIGACORP\Domain Admins
Default Domain Controllers Policy;6ac1786c-016f-11d2-945f-00c04fb984f9;SYSTEM;GpoEditDeleteModifySecurity;WellKnownGroup;GIGACORP\Domain Admins
Default Domain Controllers Policy;6ac1786c-016f-11d2-945f-00c04fb984f9;Authenticated Users;GpoApply;WellKnownGroup;GIGACORP\Domain Admins
Default Domain Controllers Policy;6ac1786c-016f-11d2-945f-00c04fb984f9;ENTERPRISE DOMAIN CONTROLLERS;GpoRead;WellKnownGroup;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;G.C.802_1x_LAN_Computers;GpoApply;Group;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;Domain Admins;GpoEditDeleteModifySecurity;Group;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;Enterprise Admins;GpoEditDeleteModifySecurity;Group;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;ENTERPRISE DOMAIN CONTROLLERS;GpoRead;WellKnownGroup;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;Authenticated Users;GpoRead;WellKnownGroup;GIGACORP\Domain Admins
802.1x LAN Authentication;b2fdd239-3def-4af9-a53e-6fae160bb1af;SYSTEM;GpoEditDeleteModifySecurity;WellKnownGroup;GIGACORP\Domain Admins
Computer Certificate Autoenroll;c5985d6f-e519-4fa3-9260-fbe289be7b56;Authenticated Users;GpoApply;WellKnownGroup;GIGACORP\Domain Admins
Computer Certificate Autoenroll;c5985d6f-e519-4fa3-9260-fbe289be7b56;Domain Admins;GpoEditDeleteModifySecurity;Group;GIGACORP\Domain Admins
Computer Certificate Autoenroll;c5985d6f-e519-4fa3-9260-fbe289be7b56;Enterprise Admins;GpoEditDeleteModifySecurity;Group;GIGACORP\Domain Admins
Computer Certificate Autoenroll;c5985d6f-e519-4fa3-9260-fbe289be7b56;ENTERPRISE DOMAIN CONTROLLERS;GpoRead;WellKnownGroup;GIGACORP\Domain Admins
Computer Certificate Autoenroll;c5985d6f-e519-4fa3-9260-fbe289be7b56;SYSTEM;GpoEditDeleteModifySecurity;WellKnownGroup;GIGACORP\Domain Admins

In your production environment the output will of course be much bigger.

Open up the output file, GPO_Delegation.txt, to easily import the data into Excel for further analysis.

Analyze GPO Security Filtering With Excel

Once the data has been exported with the previous script it’s time to give it a closer look using Excel.

Copy the contents of the output file, “GPO_Delegation.txt” into Excel, use semicolon as column separator and create a filter on the top row:

GPO security filtering Active Directory
By far, the main content of this file will be standard GPO delegation: Access that is granted by the system in order to provide standard GPO administration and assignment. To identify custom security filtering you should filter out WellKnownGroups in the Type column as these groups are most likely not used in custom filtering. You should also filter out Domain Admins and Enterprise Admins from the ID column for the same reason. Once the filtering is set have a careful look at the rest of the entries. Then you’ll get a perfect picture of the custom security filtering set up on your GPO’s! In my small test setup I found this entry:
GPO Delegation Active Directory

You can check the security tab of the GPO for further details on the configured security filtering.

Identify the GPO in the Group Policy Management Console, right click and select Edit:

Group Policy Properties 01

Right click the GPO and select Properties:

Group Policy Properties 02

Take a look at the access rights in the Security tab for full information on the custom delegation of the GPO:

Group Policy Properties 03

Summary

And there you have it. Getting an overview of custom security filtering on your GPO’s may appear a daunting task. But it’s actually  fairly easy to achieve.

Delegation of access rights on Active Directory GPO’s should always adhere to the Principle of Least Privilege. Using PowerShell and Excel you can easily examine your setup in depth.