GPOHound is a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.

It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.

The tool integrates with BloodHound's Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.

• Dumps GPOs in a structured JSON or tree format

• Handles multiple domains

• Resolves GPO names with GPO GUIDs

• Filters output by GPO files, GPO GUIDs, and domains

• Searches in key/value pairs using regex

• Groups settings by impacted object (e.g., Local Groups, Registry)

• Detects members added to local privileged groups

• Detects insecure registry settings, stored credentials, and privilege rights

• Supports decrypting VNC credentials and GPP passwords

• Finds domains, containers, and OUs affected by GPOs

• Gets GPOs applied to a specific user, computer, OU, container, or domain

• Enriches BloodHound data with relationships and properties

git clone "https://github.com/cogiceo/GPOHound"
cd GPOHound
pip install .

pipx install "git+https://github.com/cogiceo/GPOHound"

You need to setup Neo4j APOC for BloodHound data enrichment:

• If you're using the standard Neo4j installation, you can enable APOC by copying the APOC jar file to the plugin folder and then restart Neo4j:

  cp /var/lib/neo4j/labs/apoc-* /var/lib/neo4j/plugins/
  neo4j restart

• If you are installing Neo4j with "Docker Compose", add the environment variable NEO4J_PLUGINS=["apoc"]:

  neo4j:
    image: neo4j:latest
    environment:
      - NEO4J_PLUGINS=["apoc"]

For more details or alternate installation methods, refer to the official APOC Documentation.

To visualize the relationships and properties added by GPOHound, you can import the custom queries from the customqueries.json file into BloodHound. By default, this file is located at ~/.config/bloodhound/customqueries.json.

Start by downloading the SYSVOL contents from the domain controller.

• Mount the SYSVOL share locally:

  sudo mkdir -p /mnt/$DOMAIN/SYSVOL/
  sudo mount -t cifs -o username=$USER,password=$PASS,domain=$DOMAIN,ro "//$DC_IP/SYSVOL" "/mnt/$DOMAIN/SYSVOL/"

• Download the full SYSVOL:

  rsync -a -v --exclude="PolicyDefinitions" --update /mnt/$DOMAIN/SYSVOL .

• Download only the GPOs:

  mkdir "$DOMAIN"
  rsync -a -v --exclude="PolicyDefinitions" --update /mnt/$DOMAIN/SYSVOL/*/Policies "$DOMAIN"

• Unmount the SYSVOL share when finished:

  sudo umount /mnt/$DOMAIN/SYSVOL/

• Download the full SYSVOL:

  smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; mget *;"

• Download only the GPOs:

  mkdir -p "$DOMAIN"/Policies && cd "$DOMAIN"/Policies
  smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; cd $DOMAIN/Policies/; mget {*};" && cd -

To enable name resolution and data enrichment, you must collect BloodHound data using a collector such as bloodhound.py or SharpHound.exe and import the gathered data into the BloodHound interface.

See CONFIG.md for instructions on customizing default values and configurations

gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example dump
gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example analysis

gpohound dump -h
gpohound dump --json
gpohound dump --list --gpo-name
gpohound dump --guid 21246D99-1426-495B-9E8E-556ABDD81F94
gpohound dump --file scripts psscripts
gpohound dump --search 'VNC.*Server' --show

gpohound analysis -h
gpohound analysis --json
gpohound analysis --processed --object group registry
gpohound analysis --guid CCF6CAE3-E280-4109-8F9D-25461DBB5D67 --affected
gpohound analysis --computer 'SRV-PA-03.NORTH.SEVENKINGDOMS.LOCAL' --order
gpohound analysis --enrich

• Detection of users assigned to privileged local groups during logon

• Detection of renamed built-in privileged local groups.

• Detection of trustees added to privileged local groups using "Preference Process Variables" (e.g., %ComputerName%, %DomainName%)

• Detection of abusable trustees using sAMAccountName hijacking

• Detection of any trustees added to privileged local groups:

  Group	Edge
  Administrators	AdminTo
  Remote Desktop Users	CanRDP
  Distributed COM Users	ExecuteDCOM
  Remote Management Users	CanPSRemote
  Backup Operators	CanPrivEsc
  Print Operators	CanPrivEsc
  Network Configuration Operators	CanPrivEsc

Default privileged trustees, as well as service accounts with SIDs starting with S-1-5-8, are excluded from analysis.

• Improve logging
• HTML output
• Integrate LDAP
• Integrate SMB
• Highlight potential conflicts between GPOs
• Parse remaining extensions

• [MS-GPAC] Audit Configuration Extension
• [MS-GPCAP] Central Access Policies Protocol Extension
• [MS-GPEF] Encrypting File System Extension
• [MS-GPFAS] Firewall and Advanced Security Data Structure
• [MS-GPIE] Internet Explorer Maintenance Extension
• [MS-GPNAP] Network Access Protection (NAP) Extension
• [MS-GPNRPT] Name Resolution Policy Table (NRPT) Data Extension
• [MS-GPOL] Core Protocol
• [MS-GPPREF] Preferences Extension Data Structure
• [MS-GPREG] Registry Extension Encoding
• [MS-GPSB] Security Protocol Extension
• [MS-GPSCR] Scripts Extension Encoding
• [MS-GPSI] Software Installation Protocol Extension

• [MS-GPDPC] Deployed Printer Connections Extension
• [MS-GPFR] Folder Redirection Protocol Extension
• [MS-GPWL] Wireless/Wired Protocol Extension