If a GPO is utilized in a compromise, one piece of the puzzle is when and where was the GPO changed. You can use the repadmin command on any DC to look at the replication metadata of AD to make this determination.

A GPO has two parts. A file system component when is SYSVOL and the AD component. The AD object is located in the domain container under "System/Policies" this is referred to as the GPO container. The SYSVOL GPO reference is called the GPO template. The GPO container is replicated by Active Directory and the GPO template is replicated using DFSR. There will be a GPO GUID for each policy and there are two default GPO policies, the "Default Domain" policy which starts with "31B" and the "Default Domain Controller" policy which starts with "6AC"

You will need to determine what GPO was used in the compromise to gather the replication metadata needs to make this analysis.

Repadmin /showobjmeta

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 with SP2, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Displays the replication metadata for a specified object stored in Active Directory Domain Services (AD DS), such as the attribute ID, a version number, the originating and local Update Sequence Numbers (USNs), the globally unique identifier (GUID) of the originating server, and the date and time stamp.

By comparing the replication metadata for the same object on different domain controllers, you can determine whether replication has occurred, or which domain controller added, modified, or deleted an attribute or object. You can reference an object by its distinguished name path, object GUID, or security identifier (SID). If the distinguished name path includes a space, enclose it in quotation marks.

For examples of how to use this command, see Examples below.

repadmin /showobjmeta [DSA_LIST] <Object DN> [/nocache] [/linked]

Parameter Description

<DSA_LIST> Specifies the host name of a domain controller or a list of domain controllers that are separated in the list by single spaces. For detailed syntax, see Repadmin.

<Object DN> Specifies the distinguished name of the object for which you want to display metadata.

/nocache Specifies that GUIDs are left in hexadecimal form. By default, GUIDs are translated into strings.

/linked Displays the metadata for linked attributes, such as the member attribute of a security group object. This parameter is valid only if the forest functional level is Windows Server 2003.

The following example targets all domain controllers that have a name prefixed with the string "dst" (such as dst-01, dst-02, and so on) and requests the replication metadata for an object by specifying the distinguished name. It should not be necessary to review the replication metadata from all the DC's just one should suffice instead of a wildcard.

repadmin /showobjmeta dst* "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com"

The above command will retrieve the replication metadata for the Default Domain Policy.

The following example targets all domain controllers that have a name prefixed with the string "dst" and requests the replication metadata for an object by specifying the distinguished name:

repadmin /showobjmeta dst* CN=Finance,OU=UserGroups,DC=contoso,DC=com /linked

The following example targets a specific domain controller and requests the replication metadata for an object by specifying the object GUID:

repadmin /showobjmeta destdc01 "<GUID=93f24b2b-f140-4f74-b018-652566d8bdbd>"

The following example targets a specific domain controller and requests the replication metadata for an object by specifying the object SID:

repadmin /showobjmeta destdc01 "<SID=S-1-5-21-1742254763-462695806-1538882281-35372>"

Further reading regarding GPO's