Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

find-gpocomputeradmin answers the question: given a specific computer or an Organizational Unit, which users and groups have been granted administrative access to those machines through Group Policy? The command works by locating the OUs that the target computer (or all computers within the target OU) belongs to, finding all GPOs linked to those OUs, and then inspecting each GPO’s Restricted Group and Groups.xml settings for local admin membership grants. The result is a consolidated list of principals that GPO policy pushes into a local privileged group on the target machine — exactly what you need during a privilege-escalation assessment to find non-obvious admin paths. Use --recurse to expand any returned domain groups into their individual members for a fully flattened view.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Requires pywerview[kerberos].
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--computername
string
The name of the computer to check GPO-based admin access for. Specify either --computername or --ouname — not both.
--ouname
string
OU name to check. Returns the GPO-based admin grants that apply to every computer object within that OU. Specify either --ouname or --computername — not both.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the target DC or credentials.
-r, --recurse
boolean
If a returned member is a domain group, recurse into that group and return all of its individual members. Useful for fully flattening nested group memberships.

Examples

# Find who has GPO admin access to a specific computer
pywerview find-gpocomputeradmin -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --computername SRV-WEB

# Find who has GPO admin access to all computers in an OU
pywerview find-gpocomputeradmin -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --ouname Workstations

# Recurse into group memberships for a fully flattened view
pywerview find-gpocomputeradmin -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --computername SRV-WEB --recurse

# Pass-the-hash with recursion
pywerview find-gpocomputeradmin -t dc.contoso.com -u alice \
  --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com --computername SRV-DB --recurse

# JSON output
pywerview find-gpocomputeradmin -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --computername SRV-WEB --recurse --json

Build docs developers (and LLMs) love

Get started for freeTalk to us