GPO Misconfigurations and Risk
Common Group Policy Object misconfigurations that create security risks: overly broad scope, permissive permissions, and legacy policies.
GPO Misconfigurations and Risk
Group Policy Objects (GPOs) control security settings across your domain, but misconfigurations can create vulnerabilities or be exploited directly.
Common GPO Misconfigurations
Overly Broad Scope
GPOs applied to the entire domain or large OUs can have unintended consequences. A security setting meant for workstations might break servers, or a policy for one department might affect others.
Remediation: Use security filtering to limit GPO scope. Create separate GPOs for different computer types or departments.
Permissive Permissions
If Authenticated Users (or worse, Everyone) has write permissions on a GPO, attackers can modify the policy to add their account to Domain Admins or execute malicious scripts.
Remediation: Restrict GPO modification permissions to specific administrators only. Use Domain Admins or a dedicated GPO management group.
Legacy GPOs
Old GPOs that are no longer needed may contain insecure settings or be linked to OUs that no longer exist. They create confusion and potential security gaps.
Remediation: Review and remove unused GPOs. Document the purpose of each GPO. Archive old GPOs if they might be needed for reference.
Unlinked GPOs
GPOs that are not linked to any OU or domain are not applied but still consume space and create confusion.
Remediation: Remove unlinked GPOs or document why they exist.
GPOs Applied to Domain Controllers
GPOs that modify security settings on domain controllers can break authentication or create vulnerabilities.
Remediation: Use separate GPOs for domain controllers. Test GPOs in a lab before applying to production DCs.
Security Risks
Logon Script Abuse
If attackers can modify a GPO with a logon script, they can execute code on every computer that applies the GPO.
Remediation: Restrict GPO modification permissions. Monitor for GPO changes. Use AppLocker or other application control to prevent script execution.
Password Policy Weakness
If password policy GPOs are not applied correctly, weak passwords may be allowed.
Remediation: Verify password policies are applied. Use Fine-Grained Password Policies for exceptions. Monitor password policy compliance.
Security Setting Gaps
If security settings are not configured via GPO, they may be set incorrectly on individual systems.
Remediation: Use security baseline GPOs. Apply security settings consistently via GPO. Audit GPO compliance.
Best Practices
- Document GPO purpose: Know why each GPO exists
- Use security filtering: Limit GPO scope to specific groups or OUs
- Restrict permissions: Only allow specific administrators to modify GPOs
- Regular reviews: Review GPOs quarterly, remove unused ones
- Test before applying: Test GPOs in a lab environment first
- Monitor changes: Alert on GPO modifications
- Use GPO backup: Backup GPOs before making changes
Related Resources
Active Directory Security Hardening & Hygiene Checklist
This Active Directory security hardening and hygiene checklist covers the most common misconfigurations we see during internal penetration tests, giving you a practical way to reduce identity-driven attack chains and domain compromise risk across Active Directory.
AD Permissions and ACLs Explained
How Active Directory permissions and Access Control Lists work, common misconfigurations, and how to audit them effectively.
SMB and LDAP Signing: Why It Matters
Why SMB and LDAP signing are critical for preventing relay attacks and man-in-the-middle attacks in Active Directory environments.
Need this validated in your environment?
Our Active Directory security assessment identifies these issues and provides prioritized remediation guidance.
Learn About AD Security Assessments