ContainerWrite

Summary

FSProtect ACL Alias

ContainerWrite

AD Alias

GpoCustom

Affected Object Types

Group Policies

Exploitation Certainty

Certain

Description

The ContainerWrite Permission in Active Directory grants a user GpoCustom access, enabling them to modify and manage Group Policy Objects directly. When properly assigned, this permission allows authorized administrators to create, configure, and update policies that control user environments and system behaviors across the domain. With ContainerWrite, administrators can define security settings, deploy software, configure system preferences, and implement organizational policies in a centralized manner.

However, if granted inappropriately, the ContainerWrite permission poses significant security risks. An attacker or unauthorized user with ContainerWrite access could alter critical security settings, disable protective measures, or implement harmful configurations affecting all linked computers and users. Since Group Policy settings often apply to entire organizational units or domains, this permission effectively enables wide-reaching changes across the network environment. Additionally, attackers could embed malicious commands or code in these configurations. Because such scripts may run with elevated privileges (e.g., Domain Admins), any harmful modifications can rapidly compromise the network.

Identification

You can identify ContainerWrite on domain with this script

# Importing ActiveDirectory Module
Import-Module ActiveDirectory
Import-Module GroupPolicy

# Access Control Type of Access Control Entry (Allow or Deny)
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow;

# Active Directory Rights of Access Control Entry
$ActiveDirectoryRights = "WriteProperty";
$ActiveDirectoryRights2 = "GenericAll";
$ActiveDirectoryRights3 = "GenericWrite";
$ContainerWritePermissionGuid = "00000000-0000-0000-0000-000000000000";

# Iterating all GPOs
 Get-GPO -All |

ForEach-Object {
    
    # Extracting Path
    $GPOPath = $_.Path;
    $DisplayName = $_.DisplayName
    # Retrieving Access Control Entries of GPO
    (Get-Acl -Path "AD:$GPOPath").Access |

    # Filtering Non-Inherited Allowed ACEs
    Where-Object {
        $_.AccessControlType -eq $AccessControlType -and
        $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights*" -or
        $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights2*" -or
        $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights3*" -and
        $_.ObjectType -eq $ContainerWritePermissionGuid -and
        $_.IsInherited -eq $false
        
    } | 
    
    # Selecting GPO's Name and ACE Holder
    Select-Object @{Name="Vulnerable GPO";Expression={$DisplayName}}, 
                  @{Name="Internal Threat";Expression={$_.IdentityReference}},
                  @{Name="Permissions";Expression={$_.ActiveDirectoryRights}}
} | 

# Exporting found Access Control Entries into CSV file
Export-Csv -Path "ContainerWrite.csv" -NoTypeInformation

Above mentioned code is scans all GPOs in the domain. You can scan specify GPO by changing GPOName Variable in the code mentioned below

# Importing ActiveDirectory and GroupPolicy modules
Import-Module ActiveDirectory
Import-Module GroupPolicy


$GPOName = 'DC_GPO'


# Access Control Type of Access Control Entry (Allow or Deny)
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow;

# Active Directory Rights of Access Control Entry
$ActiveDirectoryRights = "WriteProperty";
$ActiveDirectoryRights2 = "GenericAll";
$ActiveDirectoryRights3 = "GenericWrite";
$ContainerWritePermissionGuid = "00000000-0000-0000-0000-000000000000";

$GPO = Get-GPO -Name $GPOName

$GPOPath = $GPO.Path

# Retrieving Access Control Entries of GPO
(Get-Acl -Path "AD:$GPOPath").Access |


# Filtering Non-Inherited Allowed GenericWrite Permission
Where-Object {
    $_.AccessControlType -eq $AccessControlType -and
    $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights*" -or
    $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights2*" -or
    $_.ActiveDirectoryRights -like "*$ActiveDirectoryRights3*" -and
    $_.ObjectType -eq $ContainerWritePermissionGuid -and
    $_.IsInherited -eq $false       
} | 

    # Selecting GPO's Name and ACE Holder
Select-Object @{Name="Vulnerable GPO";Expression={$GPO.DisplayName}}, 
    @{Name="Internal Threat";Expression={$_.IdentityReference}},
    @{Name="Permissions";Expression={$_.ActiveDirectoryRights}} | 

# Exporting found Access Control Entries into CSV file
Export-Csv -Path "ContainerWrite.csv" -NoTypeInformation

To identify ContainerWrite using Group Policy Management, follow the steps below:

1. Open Group Policy Management.

2. Find and click on the Group Policy.

3. Select Delegation from the context menu then click Advanced.

4. Click on the Advanced button to open the Advanced Security Settings dialog in GPO's security settins window.

5. In the Advanced Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.

6. Click Edit to modify the selected ACE.

7. In the permissions list, locate and check the dangerous options (like WriteProperty, GenericWrite or `GenericAll ) .

8. Click OK to save your changes and close the dialogs.

Exploitation

This permission can be can be exploitable on Windows systems

The Logon scripts automatically executes a specific script during the user login process. This setting triggers the script to run as part of the login sequence. For adding Logon script follow steps below

1. Open Group Policy Management.

2. Find and right-click on the Group Policy.

3. Select Edit... from the context menu.

4. Follow this location with expanding policies User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) in Group Policy Management Editor``

5. Double-click Logon

6. Click Add... then click browse or write path of the script

7. Write Parameters of script and click OK

8. Click Apply to save your changes and close the dialogs.

Important Note

If this logon/logoff script affects authorized users (for example, the default domain policy affects authenticated users, which includes administrators and other authorized users), then when an authorized user logs in or logs off, the script will run with the high privilege.

Mitigation

Access Control Entries identified as dangerous should be removed by following the steps below.

1. Open Group Policy Management.

2. Find and click on the Group Policy.

3. Select Delegation from the context menu then click Advanced.

4. Click on the Advanced button to open the Advanced Security Settings dialog in GPO's security settins window.

5. In the Advanced Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.

6. Click Edit to modify the selected ACE.

7. In the permissions list, locate and remove the dangerous options (like WriteProperty, GenericWrite or `GenericAll ) .

8. Click OK to save your changes and close the dialogs.

Detection

Adding new Access Control Entries on the Active Directory objects changes the ntSecurityDescriptor attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event ID's to identify dangerous modifications.

Event ID
Description
Fields/Attributes
References

5136

A directory service object was modified.

ntSecurityDescriptor

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

4662

An operation was performed on an object.

AccessList, AccessMask

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

References

LogoWorking with startup, shutdown, logon, and logoff scripts using the Local Group Policy EditorMicrosoftLearn
MicrosoftLearn
https://support.keriocontrol.gfi.com/hc/en-us/articles/360015180040-Configuring-Login-Logout-scripts-via-GPOsupport.keriocontrol.gfi.com
support.keriocontrol.gfi.com
PreviousCertificateEnrollmentNextCreateAny

Last updated

Was this helpful?