Adding GPO Parsing to retrieve Local Admins

[LeogFR]

Hello,
We implemented the Local Admins collection by adding Local Admins configured in GPO as security groups.
We parsed the GPOs content located in the SYSVOL shared file using a SMB connection.

PS : This was our final studies project in our cybersecurity engineer degree, Let us know if you have any feedbacks !
@LeogFR & @Betichps

[denandz]

If I'm understanding correctly, additional processing on this PR to handle RemoteDesktopUsers, DcomUsers and PSRemote local groups should in theory bring this up to speed with SharpHound and close issue #179

Relevant method in SharpHound: https://github.com/SpecterOps/SharpHoundCommon/blob/68a68c6eab5375b46f975274b16ff1acdc35dc48/src/CommonLib/Processors/GPOLocalGroupProcessor.cs#L60

[funoverip]

I think that you forget to look where the GPO(s) are linked to ?

You still need to search for objects linked to it, example searching for (gPLink=*CN={1410979C-58F4-458A-9367-F07613F2A825},CN=Policies,CN=System,*)

DN: OU=Servers,DC=north,DC=sevenkingdoms,DC=local
  objectClass: top, organizationalUnit
  ou: Servers
  distinguishedName: OU=Servers,DC=north,DC=sevenkingdoms,DC=local
  instanceType: 4
  whenCreated: 20260108141342.0Z
  whenChanged: 20260108141456.0Z
  uSNCreated: 26998
  uSNChanged: 27010
  name: Servers
  objectGUID: dbfe4f3e-df1d-4786-bdb4-44b9e73ba1e0
  objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=sevenkingdoms,DC=local
  gPLink: [LDAP://cn={1410979C-58F4-458A-9367-F07613F2A825},cn=policies,cn=system,DC=north,DC=sevenkingdoms,DC=local;0][LDAP://cn={5F761E1F-6CB7-47DA-9B64-E72BEBDF3052},cn=policies,cn=system,DC=north,DC=sevenkingdoms,DC=local;0]
  dSCorePropagationData: 20260108141342.0Z, 20260108141342.0Z, 16010101000000.0Z

Then you need to look for member of that OU. Only these objects are affected by the GPO.

Last but not least, \MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf also contains group memberships information. Check for "Group Policy Template Information"