Last updated: April 29, 2026
Group Policy Preferences (GPP) was introduced in Windows Server 2008 to let admins manage settings that weren’t covered by Group Policy Objects — local account creation, scheduled tasks, services, drive mappings, printer deployments. Admins could set passwords for these in the GPO, stored in SYSVOL. Until 2014, those passwords were encrypted with an AES key Microsoft published publicly. MS14-025 removed the ability to create new password-laden GPPs but didn’t remove existing ones. In 2026, GPP cPassword remnants still live in SYSVOL folders of many production domains.
Why this happens
The cPassword design was baffling in hindsight: Microsoft needed domain-member computers to decrypt local admin passwords from GPOs. They needed a shared secret. They chose a single AES-256 key, published in MSDN documentation. The key is the same on every Windows install. Literally public.
Any authenticated user can read SYSVOL. Find cPassword attribute in any GPP XML file. Decrypt with the public key. Game over for that account.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.