tools.ad_gpo_tools module

Allowlisted Active Directory and Group Policy PowerShell via WinRM.

Requires an existing session from winrm_connect to a host with RSAT (ActiveDirectory and GroupPolicy modules). Executes fixed cmdlet templates only (no arbitrary PowerShell from the model).

Security: domain-wide impact; mistakes can be irreversible. Gate: UNSANDBOXED_EXEC. Use least-privilege accounts on the WinRM target. Same transport caveats as winrm_run_ps (winrm_run_ps still allows arbitrary script; these tools are structured alternatives).