Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netgpogroup enumerates every Group Policy Object in the domain and inspects two policy mechanisms that control local group membership: the Restricted Groups section inside GptTmpl.inf (enforced via the [Group Membership] ini block), and Groups.xml files stored under the GPO’s MACHINE\Preferences\Groups\ SYSVOL path. Both mechanisms can silently add users or groups to local groups such as Administrators or Remote Desktop Users on every machine the GPO applies to. The command returns structured output listing the GPO name, the target local group SID, and the members being pushed — exactly the data needed to map GPO-enforced privilege grants across the domain. Use --resolve-sids to translate raw SIDs into readable DOMAIN\account names before further analysis.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Requires pywerview[kerberos].
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--gponame
string
default:"*"
GPO name (GUID form) to filter on. Wildcards accepted. Defaults to * to process all GPOs.
--displayname
string
GPO display name to filter on. Wildcards accepted. Takes precedence over --gponame when set.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the target DC or credentials.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base when enumerating GPO objects.
--resolve-sids
boolean
Resolve the SIDs of both the member accounts and the target local groups into human-readable DOMAIN\account names by querying the DC. Without this flag, raw SIDs are returned.

Examples

# Find all GPO-defined group memberships in the domain
pywerview get-netgpogroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Resolve SIDs for human-readable output
pywerview get-netgpogroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --resolve-sids

# Filter to a specific GPO by display name
pywerview get-netgpogroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --displayname 'Workstation Config' --resolve-sids

# Pass-the-hash with SID resolution
pywerview get-netgpogroup -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 \
  -w contoso.com --resolve-sids

# JSON output for scripted analysis
pywerview get-netgpogroup -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --resolve-sids --json
Combining get-netgpogroup with find-gpocomputeradmin and find-gpolocation gives a complete privilege map through GPOs: get-netgpogroup reveals which accounts are pushed into local groups by policy, find-gpocomputeradmin shows who has admin access to a specific machine or OU via that policy, and find-gpolocation inverts the query to show every machine a given user or group can reach as a local admin.

Build docs developers (and LLMs) love

Get started for freeTalk to us