Group Policy Preferences Password Extraction

Rating: No reviews yet
Downloads: 118
Released: Jul 5, 2012
Updated: Jul 5, 2012 by NathanV
Dev status: Stable Help Icon

Recommended Download

Source Code GPO-Passwords.ps1
source code, 6K, uploaded Oct 21, 2012 - 118 downloads

Release Notes

This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!

The password is encrypted once with AES in CBC mode at 256 bits. The key used is:

4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b


A big thank you to my friend Keith B who helped me with tips for the PowerShell code. I definitely do not have a background working with PS and learned some cool things along the way.

This script was modified from original work by Chris Campbell as noted in the comments.



Running this script:
  • Run it against the current domain to find everything:
    • PS C:\> .\GPO-Passwords.ps1
  • Run it against a local copy of a Groups.xml file:
    • PS C:\> .\GPO-Passwords.ps1 -local .\Groups.xml

Reviews for this release

No reviews yet for this release.