Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-gpttmpl is a helper command that reads and parses a GptTmpl.inf file — the INI-format template used by the Security Settings extension of Group Policy — into structured output. These files live on the SYSVOL share under each GPO’s machine or user policy directory and define settings such as user right assignments (e.g. SeDebugPrivilege), restricted group memberships, system access controls, and registry values. Pointing this command at a UNC path on SYSVOL allows you to extract those settings programmatically without manually parsing the INF format. This command is a key building block used internally by get-domainpolicy and get-netgpogroup.
get-gpttmpl uses the ad_parser for its LDAP connection setup but the --gpt-tmpl-path argument points to a file path (typically a UNC path on SYSVOL, e.g. \\dc.contoso.com\SYSVOL\contoso.com\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf). The path is required and the command will not run without it.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--gpt-tmpl-path
string
required
The path to the GptTmpl.inf file to parse. This is typically a UNC path pointing to a file on the SYSVOL share (e.g. \\dc.contoso.com\SYSVOL\contoso.com\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf).

Examples

# Parse a GptTmpl.inf file from SYSVOL for a specific GPO
pywerview get-gpttmpl \
  -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --gpt-tmpl-path '\\dc.contoso.com\SYSVOL\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'

# Parse the Default Domain Controllers Policy security template
pywerview get-gpttmpl \
  -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --gpt-tmpl-path '\\dc.contoso.com\SYSVOL\contoso.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'

# JSON output for programmatic processing
pywerview get-gpttmpl \
  -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --gpt-tmpl-path '\\dc.contoso.com\SYSVOL\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf' \
  --json

# Pass-the-hash authentication
pywerview get-gpttmpl \
  -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com \
  --gpt-tmpl-path '\\dc.contoso.com\SYSVOL\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'
Use get-netgpo to retrieve GPO GUIDs and their SYSVOL paths (gPCFileSysPath attribute), then construct the full path to the GptTmpl.inf file by appending \MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Not all GPOs contain a GptTmpl.inf — only those with Security Settings configured will have this file.

Build docs developers (and LLMs) love

Get started for freeTalk to us