Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netgpo queries the domain controller via LDAP to enumerate all Group Policy Objects in the domain. Every GPO is represented as a groupPolicyContainer object in Active Directory, carrying attributes such as its GUID-based name, human-readable display name, and the UNC path (gPCFileSysPath) pointing to the SYSVOL share where the actual policy files live. By default the command returns every GPO, but you can narrow results by GPO name (the {GUID} form) or by display name, both of which accept wildcard patterns. This output feeds directly into get-netgpogroup, find-gpocomputeradmin, and find-gpolocation to trace how policy settings translate into administrative access across the domain.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com). Required for domain LDAP queries.
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found. Requires pywerview[kerberos].
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
--cert
string
Path to a certificate file for SChannel (certificate-based) authentication.
--key
string
Path to the private key file associated with --cert.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--gponame
string
default:"*"
GPO name to query for. This is the GUID-style name (e.g. {31B2F340-016D-11D2-945F-00C04FB984F9}). Wildcards are accepted. Defaults to *, which returns all GPOs.
--displayname
string
Display name to filter by (e.g. Default Domain Policy). Wildcards are accepted. When specified, this takes precedence over --gponame.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base (e.g. OU=Servers,DC=contoso,DC=com).

Examples

# List all GPOs in the domain
pywerview get-netgpo -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Find GPOs whose display name starts with "Default"
pywerview get-netgpo -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --displayname 'Default*'

# Look up a specific GPO by its GUID name
pywerview get-netgpo -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --gponame '{31B2F340-016D-11D2-945F-00C04FB984F9}'

# Pass-the-hash authentication
pywerview get-netgpo -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication with an existing ccache
KRB5CCNAME=alice.ccache pywerview get-netgpo -t dc.contoso.com -k -w contoso.com

# JSON output for piping into other tools
pywerview get-netgpo -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json

Build docs developers (and LLMs) love

Get started for freeTalk to us