Which Group Policy preference files besides Groups.xml can contain the cpassword attribute and be exploited?

Several GPO preference files can store encrypted passwords when an administrator enters credentials, including Services.xml, ScheduledTasks.xml, Printers.xml, Drives.xml, and DataSources.xml. For example, ScheduledTasks.xml stores credentials when tasks are configured to 'Run as' a specific user. An attacker can query all these files in SYSVOL and decrypt any found cpassword values. The technique for scheduled tasks is covered in Domain Penetration - Remote Execution via Scheduled Tasks in GPO.