If you control an AD account that has **write or ownership permissions over a GPO**, and that GPO is **linked to a target machine**, you can use it to gain **local admin and RDP access** on that machine. **Why it works:** * GPOs are stored in **SYSVOL** and automatically applied to domain-joined machines. * Machines refresh GPOs every **~15 minutes** (or via `gpupdate`). * A GPO can modify **local group memberships** (Administrators, RDP Users). * If you can edit a GPO → you control what runs or who gets access on linked machines. **Attack Flow (High-Level):** 1. Obtain AD credentials (ex: via keylogging). 2. Use **BloodHound** to find GPO permissions. 3. Identify a GPO you can edit that applies to a target host. 4. Modify the GPO to add a group you control to: * Local **Administrators** * Local **Remote Desktop Users** 5. Wait for policy refresh → lateral movement achieved. **Impact:** * Local admin on target system * RDP access * Reliable, quiet lateral movement * Often overlooked by defenders **Mental Model:** > *Owning a GPO is like owning a remote control for every machine it’s linked to.*