Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

find-gpolocation is the inverse of find-gpocomputeradmin: instead of asking “who can admin this machine via GPO?”, it asks “which machines can this user or group admin via GPO?” The command accepts a username or group name, locates the GPO group-membership entries that include that principal, identifies which OUs those GPOs are linked to, and then returns all computer objects that fall under those OUs. By default it checks membership in the local Administrators group (S-1-5-32-544), but you can point it at the Remote Desktop Users group with RDP, or supply any arbitrary local-group SID with --local-group. This makes it equally useful for auditing lateral movement paths — finding which systems a compromised account can reach as a local admin — and for checking RDP access during a red team engagement.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Requires pywerview[kerberos].
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--username
string
The domain username to check GPO-based access for. No wildcards. Specify either --username or --groupname.
--groupname
string
The domain group name to check GPO-based access for. No wildcards. Specify either --groupname or --username.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the target DC or credentials.
--local-group
string
default:"S-1-5-32-544"
The local group to check access against. Accepted values:
  • Administrators or S-1-5-32-544 — local Administrators group (default)
  • RDP or S-1-5-32-555 — Remote Desktop Users group
  • Any S-1-5-X style SID string for other local groups

Examples

# Find which computers a user has local admin access to via GPO
pywerview find-gpolocation -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob

# Find which computers a group has local admin access to via GPO
pywerview find-gpolocation -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'HelpDesk'

# Check RDP access instead of local admin
pywerview find-gpolocation -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --local-group RDP

# Check access against a specific local group SID
pywerview find-gpolocation -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'HelpDesk' --local-group S-1-5-32-555

# Pass-the-hash authentication
pywerview find-gpolocation -t dc.contoso.com -u alice \
  --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com --username bob

# JSON output for automated reporting
pywerview find-gpolocation -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --json

Build docs developers (and LLMs) love

Get started for freeTalk to us