Skip to content

New Query - All GPOs applied to a specific computer.yml #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 14, 2025
Merged

New Query - All GPOs applied to a specific computer.yml #33

merged 3 commits into from
Oct 14, 2025

Conversation

@auk0x01
Copy link
Contributor

@auk0x01 auk0x01 commented Oct 9, 2025

We made a query to find all GPOs that are applied to any specific computer. Helpful in large AD environments where GPO inheritance is complex :)

auk0x01 and others added 2 commits October 9, 2025 08:20
@auk0x01
Create All GPOs applied to a specific computer.yml
0db8d38
@martinsohn
Update All GPOs applied to a specific computer.yml
ee40258 
- Replace 'Base' with ':Base'
- Reverse path and return p
- Add accuracy disclaimer
martinsohn
martinsohn previously approved these changes Oct 9, 2025
View reviewed changes
@martinsohn
Copy link
Collaborator

martinsohn commented Oct 9, 2025

Thanks for the commit @auk0x01, I made slight modifications to the commit.

  • Replace 'Base' with ':Base'
  • Reverse path and return p
  • Add accuracy disclaimer

There is a way of taking 'Overriding and Blocking Group Policy' into account, but awaiting BloodHound's Postgres db support for HEAD() and TAIL()

// GPOs affecting specified target
MATCH p=(:GPO)-[r:GPLink|Contains*1..]->(:Base{objectid:'<oid>'})
WHERE HEAD(r).enforced OR NONE(n in TAIL(TAIL(NODES(p))) WHERE (n:OU AND n.blocksinheritance))
RETURN p

@auk0x01
Copy link
Contributor Author

auk0x01 commented Oct 10, 2025

Hey @martinsohn thanks for the modifications.

I think you replaced 'Base' with ':OU', not with ':Base'. This way, the query will only find OU-level GPOs and not Domain-level GPOs. In the case of Domain-level GPOs, the GPOs have a 'GPLink' to the Domain instead of an OU. That's why we used the Base node so that the GPO can have a GPLink to either the Domain or an OU.

Another thing: we used the 'toLower()' function to make this query case-insensitive so that users can have an easier time entering the computer name even in different casing styles.

@martinsohn
Copy link
Collaborator

martinsohn commented Oct 10, 2025

Makes sense @auk0x01, I will get it fixed! Thank you.

Btw, we got a GitHub Actions issue, we're working on addressing that.

@auk0x01
Copy link
Contributor Author

auk0x01 commented Oct 11, 2025
edited
Loading

@martinsohn Oh ok, thanks a lot. I will be waiting for you guys to resolve the issue then.
By the way, any approximate time for the fix ? XD

@d3vzer0 d3vzer0 merged commit d5ecad9 into SpecterOps:main Oct 14, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@d3vzer0 d3vzer0 d3vzer0 approved these changes

@martinsohn martinsohn martinsohn left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@auk0x01 @martinsohn @d3vzer0