PrivEsc: Group Policy Preference Passwords

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).

GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.

This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a┬álocal administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.