Finding and decrypting cpasswords in Group Policy Preferences

Finding and decrypting cpasswords in Group Policy Preferences

2022, Jun 12    

What are Group Policy Preferences

Group Policy Preferences (GPP) is a collection of Group Policy client-side extensions that enable settings that were previously unavailable in Group Policy, such as mapping drives, scheduled tasks and start menu settings. GPP allows administrators. A security risk exists because the GPP xml files are accessible and readable to all authenticated users in a domain. These files are stored in the SYSVOL share on domain controllers. These xml files can be easily searched using the below command in command prompt. Remember to replace the FQDN value with the actual domain value.

findstr /S /I cpassword \\<FQDN>\\sysvol\<FQDN>\policies\*.xml

Any cpassword values found can be decrypted using the Get-Decryptedcpassword.ps1 PowerShell script to reveal the clear text password. After downloading the PowerShell script, import the function using the below command in PowerShell:

Import-Module .\Get-Decryptedcpassword.ps1

Once the function is imported, decrypt the cpassword value using the below command:

Get-Decryptedcpassword <cpasswordvalue>

PowerShell

Click here to Download the PowerShell script to decrypt cpassword values