Secure and protect GPO from enumeration (AD)

mehdi dakhama 336 Reputation points MVP

Hi everyone,

I'have a question, how can I protect the GPOs from enumeration from Tools like Bloodhound/PingCastle/PurpleKnight .... ?

how do you do, I'm working on a track to trap people who try to read GPOs that are not intended for them.

it can be interesting to be able to detect these random reads on important GPOs, and it will help a lot of companies in terms of security


A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,961 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,094 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,767 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Gary Reynolds 9,401 Reputation points


    It depends if you are trying to stop users from reading both machine and user based GPOs. For user based GPO it's a little more difficult as the user's account needs to be able to read the policies so they can be applied, you could make the allocation more specific rather than based the authenticated users group. For machine based policies it's a little easier, if you remove the authenticated users read and apply gpo permissions and apply the permissions to a specific group that only contains machine accounts. However, as machine group memberships are picked up on the next reboot, you just need to make sure you sequence the changes over a few days, so the machines still have access to read and apply the policies.

    Changing the authenticated users to a user or machine specific group will limit who can read the policy settings.