AdminTo and GPO Security Filtering does not match

[tecxx]

Hello,
sharphound 2.7.2.
in our Tier1 there is a GPO that grants group SECSCCMSITESERVERS local admin on one server (srv012).

this is done via security filtering:

bloodhound shows us that all tier1 servers have this group as local admin, which is incorrect

it looks like the collector is not honoring GPO security filtering correctly. did something change in one of the recent collector versions, because we're pretty sure this did not show up beginning of year?

edit: to be sure not to make a mistake, i unlinked the GPO and ran the collector, incorrect adminto-links are gone, then added the GPO and ran collector once more - adminto-links are back.

thanks!
RR

[rvazarkar]

GPO processing has never supported any sort of filtering, as the logic around those filters is almost infinitely complex. The only supported form of filtering is basically where the GPOs are linked currently.

GPO collection is generally not the most effective form of data collection either, as local things can sometimes override GPO level targetting.