For the original post, see here.
So in yesterday's post, I mentioned that this guy wrote a neat tutorial and Powershell script called Get-GPPPasswords.ps1 that will decipher the passwords in a valid Groups.xml file. You can find his scripts here. (The PowerSploit repository on Github.) I wrote an additional function to go inside of Get-GPPPasswords this morning. The purpose of the new function is to automatically search your own domain for Groups.xml files, and use Get-GPPPasswords on them. This can be handy for finding all the Groups.xml files as quickly as possible, especially in a domain with lots of policies. And especially if you're pressed for time. It's very simple:
Scan your own domain in search of valid Groups.xml files in SYSVOL. If found, use Get-GPPPassword on them.
Author: Ryan Ries (www.myotherpcisacloud.com)
PS C:\> . .\Get-GPPPassword.ps1
PS C:\> Find-GPPPasswords
Write-Host "Now searching $Env:UserDNSDomain for Group Policy Preferences passwords..."
$GroupsFiles = Get-ChildItem -Path "\\$Env:UserDNSDomain\SYSVOL" -Recurse -Include Groups.xml
foreach($_ in $GroupsFiles)
Get-GPPPassword -Path $_