Overview
Group Policy Preferences (GPP) allowed admins to set local passwords via Group Policy. The password was encrypted with a known AES key published by Microsoft. Any domain user can read SYSVOL and decrypt these. Microsoft patched this in MS14-025, but old policies may still exist.Where to Find GPP Files
SYSVOL share (readable by all domain users):Files Containing cpassword
Manual Search
Find GPP XML Files
Example Groups.xml
Decrypt cpassword
gpp-decrypt (Kali)
Python
Ruby
Automated Tools
CrackMapExec
Metasploit
Get-GPPPassword (PowerSploit)
Impacket
Post-Exploitation
Found credentials → test them:Quick Reference
| Tool | Where |
|---|---|
| gpp-decrypt | Kali (built-in) |
| CrackMapExec gpp_password | Attacker |
| Get-GPPPassword | Target (PowerShell) |
| impacket-Get-GPPPassword | Attacker |
| Manual findstr | Target (CMD) |