Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

IsAdmin from group policy preferences does not account for Item Level Targeting #37

Open
kitchung opened this issue Dec 24, 2022 · 1 comment
Open

IsAdmin from group policy preferences does not account for Item Level Targeting #37

kitchung opened this issue Dec 24, 2022 · 1 comment

Comments

@kitchung
Copy link

SharpHound does not account for Item Level Targetting when collecting local group membership collection from GPOs linked to OUs,

Group Policy Preference in a GPO can add groups or users into local administrators group only if the host has a matching NETBIOS name or member of an AD group.

I know it will be impossible for SharpHound to account for some item level targeting options such as WMI, but I believe ones that are likely used for managing local groups can, such as hostname, OU and security group membership.

Item level targeting details:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v=ws.11)
@JonasBK
Copy link
Collaborator

JonasBK commented Apr 28, 2023

Hi @kitchung,

Thanks for pointing this out. I agree, it would be a very cool enhancement!
We would definitely approve it if anyone made a pull request for this. If that does not happen, we should look into this someday.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kitchung @JonasBK