GPOAnalyzer is a tool designed for penetration testers and red teamers to assist in analyzing domain Group Policy Object (GPO) files located in the SYSVOL directory.
GPOAnalyzer is valuable for quickly identifying critical information such as domain configuration, registry keys, policies, web targets, network shares, and more. Additionally, it provides easily interpretable outputs and supports data export in JSON format for seamless integration with complementary tools like jq
.
Download the executable from the release page.
Alternatively, you can install GPOAnalyzer using Python 3.6
or higher. Clone the repository and install the required dependencies:
git clone https://github.com/safedv/GPOAnalyzer.git
cd GPOAnalyzer
pip install .
Run the tool from the command line using the following syntax:
python -m gpoanalyzer --help
gpoanalyzer.exe --help
usage: python -m gpoanalyzer [-h] [--json | --find FIND] [--output OUTPUT] [--shortcuts] [--scheduledtasks] [--drives] [--groups] [--printers] [--registryxml] [--envvars] [--files] [--services]
[--folders] [--internetsettings] [--registrypol] [--gpttmpl]
gpopath
GPO Analyzer parses and enumerates Domain Group Policy Object (GPO) files.
options:
-h, --help show this help message and exit
General Options:
gpopath Path to the GPO data directory
--json, -jq Output data in JSON format
--find FIND, -f FIND Search for a specific string or pattern
--output OUTPUT, -o OUTPUT
Output results to a specified file path
Supported Files:
--shortcuts Extract shortcut configurations from Shortcuts XML files
--scheduledtasks Extract scheduled tasks from ScheduledTasks XML files
--drives Extract network drive mappings from Drives XML files
--groups Extract group membership settings from Groups XML files
--printers Extract printer configurations from Printers.xml
--registryxml Extract settings from Registry.xml
--envvars Extract env variable settings from EnvironmentVariables.xml
--files Extract file policies from Files.xml
--services Extract service configurations from Services.xml
--folders Extract folder settings from Folders.xml
--internetsettings Extract internet settings from InternetSettings XML files
--registrypol Extract registry settings from Registry.pol
--gpttmpl Extract group policy template data from GptTmpl.inf files
Search for a string in all parsed data
python -m gpoanalyzer "<GPO_FILES_PATH>" --find "AdmPwd"
Search for a pattern in all parsed data
python -m gpoanalyzer "<GPO_FILES_PATH>" --find "^(\\)(\\[\w\.-_]+){2,}(\\?)$"
Output all data to a file
python -m gpoanalyzer "<GPO_FILES_PATH>" --shortcuts --drives --folders --scheduledtasks -o output.txt
Output registry data to a file in json format:
python -m gpoanalyzer "<GPO_FILES_PATH>" --registrypol --json -o registry.pol.json
Export targetPath
value from shortcuts XML files configuration with jq
python -m gpoanalyzer "<GPO_FILES_PATH>" --shortcuts --json | jq '[.. | objects | select(has("targetPath")) | .targetPath]' | sort -u
"http://example1.com"
"https://example2.com"
"http://example3.com"
"10.10.12.120"
"\\SHARE\\LOL"
Contributions are welcome! Please fork the repository and submit a pull request with your improvements.
GPOAnalyzer is released under the MIT License. See LICENSE
file for details.