Active Directory · Term

What is SYSVOL?

SYSVOL is a share on every Domain Controller that all authenticated users can read. Old Group Policy Preferences sometimes left passwords there, encrypted with a key Microsoft published. Here is what SYSVOL is and the classic credential leak it caused.

Active Directory · TermAll services
TL;DR

SYSVOL is a shared folder hosted on every Domain Controller that stores Group Policy and logon scripts, and every authenticated user can read it. The classic risk is Group Policy Preferences (GPP) passwords: administrators once stored credentials in GPP XML files in SYSVOL, encrypted with an AES key Microsoft publicly documented, so anyone in the domain could decrypt them. Even after the MS14-025 fix, legacy files often remain, making SYSVOL a fast, quiet credential win for attackers.

By John Dill, Red Team Lead, SecureLayer7Updated

What SYSVOL is

SYSVOL is a folder replicated to every Domain Controller and shared to the whole domain. It holds Group Policy Objects, logon scripts, and related files that domain-joined machines pull during policy processing.

Because every machine and user must read policy, all authenticated users can read SYSVOL. That is by design and usually fine, but it means anything sensitive left there is readable by everyone in the domain.

The GPP password leak and payload

The well-known abuse is GPP passwords. Administrators used Group Policy Preferences to set local-account passwords, which were stored in XML files (Groups.xml and similar) in SYSVOL, encrypted with AES, but Microsoft published the key. So any domain user could read and decrypt them.

  • Find and decrypt automatically: Get-GPPPassword (PowerSploit) or gpp-decrypt <cpassword>
  • Search SYSVOL for leftover secrets in scripts and XML.

Microsoft removed the feature in MS14-025, but pre-existing files were not deleted, so legacy cpassword values still surface. Shown for defensive context.

How to defend

  • Search SYSVOL for `cpassword` and remove any legacy GPP files containing it.
  • Apply MS14-025 so new GPP passwords cannot be created.
  • Remove credentials from logon scripts and other SYSVOL files; use proper secret management instead.
  • Rotate any password ever stored in SYSVOL, assuming it is compromised.
  • Audit SYSVOL access patterns for mass reads.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Microsoft: Kerberos Authentication Overview(Microsoft)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.