From 0db8d38e0019f5e6c12cd6a1c6abcb67893157de Mon Sep 17 00:00:00 2001
From: "Adnan Ullah Khan (auk0x01)" <75381620+auk0x01@users.noreply.github.com>
Date: Thu, 9 Oct 2025 08:20:48 +0500
Subject: [PATCH 1/3] Create All GPOs applied to a specific computer.yml

---
 .../All GPOs applied to a specific computer.yml    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 queries/All GPOs applied to a specific computer.yml

diff --git a/queries/All GPOs applied to a specific computer.yml b/queries/All GPOs applied to a specific computer.yml
new file mode 100644
index 0000000..ed150f3
--- /dev/null
+++ b/queries/All GPOs applied to a specific computer.yml	
@@ -0,0 +1,14 @@
+name: All GPOs applied to a specific Computer
+guid: 1d75a21e-0d34-40c5-9360-281b60737d87
+prebuilt: false
+platform: Active Directory
+category: Domain Information
+description: View all GPOs that are applied to any specific computer. This query identifies GPOs that are applied at both the Domain Level and the OU level, saving time in large Active Directory environments where GPO inheritance is complex. Replace "COMPUTER_NAME" with the target computer name or a substring.
+query: |-
+  MATCH (gpo:GPO)-[:GPLink]->(Base)-[:Contains*..]->(c:Computer) WHERE toLower(c.name) CONTAINS toLower("COMPUTER_NAME")
+  RETURN gpo
+revision: 1
+resources:
+- https://penvasecurity.com.au/
+- https://github.com/PenvaSecurity/BloodhoundCypherQueries
+acknowledgements: Adnan Ullah Khan, @auk0x01

From ee40258ae4e1da9a6b952d469497e3ccbef2bba6 Mon Sep 17 00:00:00 2001
From: Martin Sohn Christensen <ms@martinsohn.dk>
Date: Thu, 9 Oct 2025 11:14:20 +0200
Subject: [PATCH 2/3] Update All GPOs applied to a specific computer.yml

- Replace 'Base' with ':Base'
- Reverse path and return p
- Add accuracy disclaimer
---
 queries/All GPOs applied to a specific computer.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/queries/All GPOs applied to a specific computer.yml b/queries/All GPOs applied to a specific computer.yml
index ed150f3..4eed56c 100644
--- a/queries/All GPOs applied to a specific computer.yml	
+++ b/queries/All GPOs applied to a specific computer.yml	
@@ -3,12 +3,12 @@ guid: 1d75a21e-0d34-40c5-9360-281b60737d87
 prebuilt: false
 platform: Active Directory
 category: Domain Information
-description: View all GPOs that are applied to any specific computer. This query identifies GPOs that are applied at both the Domain Level and the OU level, saving time in large Active Directory environments where GPO inheritance is complex. Replace "COMPUTER_NAME" with the target computer name or a substring.
+description: View all GPOs that are applied to any specific computer. This query identifies GPOs that are applied at both the Domain Level and the OU level, saving time in large Active Directory environments where GPO inheritance is complex. Replace "COMPUTER_NAME" with the target computer name or a substring. Note this does not take OU 'Block inheritance' and GPO 'No Override' into account.
 query: |-
-  MATCH (gpo:GPO)-[:GPLink]->(Base)-[:Contains*..]->(c:Computer) WHERE toLower(c.name) CONTAINS toLower("COMPUTER_NAME")
-  RETURN gpo
+  MATCH p=(c:Computer)<-[:Contains*..]-(:OU)<-[:GPLink]-(:GPO)
+  WHERE c.name CONTAINS "COMPUTER_NAME"
+  RETURN p
 revision: 1
 resources:
-- https://penvasecurity.com.au/
-- https://github.com/PenvaSecurity/BloodhoundCypherQueries
+- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/Policy/overriding-and-blocking-group-policy
 acknowledgements: Adnan Ullah Khan, @auk0x01

From 083b38a4f5014f1109686f5ef4dfbfce6d33da84 Mon Sep 17 00:00:00 2001
From: Martin Sohn Christensen <ms@martinsohn.dk>
Date: Fri, 10 Oct 2025 10:07:36 +0200
Subject: [PATCH 3/3] Update All GPOs applied to a specific computer.yml

---
 queries/All GPOs applied to a specific computer.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/queries/All GPOs applied to a specific computer.yml b/queries/All GPOs applied to a specific computer.yml
index 4eed56c..38f02a3 100644
--- a/queries/All GPOs applied to a specific computer.yml	
+++ b/queries/All GPOs applied to a specific computer.yml	
@@ -5,8 +5,9 @@ platform: Active Directory
 category: Domain Information
 description: View all GPOs that are applied to any specific computer. This query identifies GPOs that are applied at both the Domain Level and the OU level, saving time in large Active Directory environments where GPO inheritance is complex. Replace "COMPUTER_NAME" with the target computer name or a substring. Note this does not take OU 'Block inheritance' and GPO 'No Override' into account.
 query: |-
-  MATCH p=(c:Computer)<-[:Contains*..]-(:OU)<-[:GPLink]-(:GPO)
-  WHERE c.name CONTAINS "COMPUTER_NAME"
+  // Replace "HOSTNAME/FQDN" with the computer's
+  MATCH p=(c:Computer)<-[:Contains*..]-(:Base)<-[:GPLink]-(:GPO)
+  WHERE toLower(c.name) CONTAINS toLower("HOSTNAME/FQDN")
   RETURN p
 revision: 1
 resources: