Applies to BloodHound Enterprise and CE The GPLink relationship connects a Group Policy Object (GPO) to an AD domain or organizational unit (OU) it is linked to. The GPO’s settings apply to AD accounts (users and computers) within that domain or OU. The Enforced property on the edge indicates whether the GPO link is enforced, meaning it still applies if an OU has blocked GPO inheritance.

Abuse Info

Control over the GPO can be abused to compromise the AD accounts the GPO applies to by modifying the GPO policy settings. Refer to A Red Teamer’s Guide to GPOs and OUs for details about the abuse technique, and check out the following tools for practical exploitation:

Opsec Considerations

There is no opsec information for this edge.

References