Posted on

#StackBounty: #windows #group-policy Windows LGPO not importing security template GPOs?

Bounty: 50

I have configured local Group Policy Objects on a Windows 10 Enterprise machine. After that, I exported these GPOs with the Microsoft tool LGPO with:

LGPO.exe /b [path]

This all works fine.
Now I used this GPO export to import it on a second installation (identical), like so:

LGPO.exe /g [path to export]

Everything seems to work as expected, there are no errors during the process.
After that, I updated the policies like

gpupdate /force

I can tell that some policies did in fact apply correctly, but some didn’t. After looking into gpedit, I found that some of the policies regarding the "Security Template" did in fact not import (but some did). Why would this happen? I used the same technique before and it worked as far as I remember.

After further investigation into the LGPO export, I found that the settings regarding the Security Template are found in this file:
[Export-ID]DomainSysvolGPOMachinemicrosoftwindows ntSecEditGptTmpl.inf.

This file is structured like this:

[Unicode]
...
[System Access]
...
[Event Audit]
...
[Registry Values]
... <-- These registry values listed here are not imported at all
// some examples 
MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsoleSecurityLevel=4,0
MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsoleSetCommand=4,0
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonAllocateCDRoms=1,"1"
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonAllocateDASD=1,"2"
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonAllocateFloppies=1,"1"
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonCachedLogonsCount=1,"1"
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonForceUnlockLogon=4,0
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonPasswordExpiryWarning=4,7
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonScRemoveOption=1,"1"
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin=4,1
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorUser=4,1
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableCAD=4,0
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLastUserName=4,1
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLockedUserId=4,1
[Privilege Rights]
...
[Version]
...

So, how come that the list of settings stored in the "Registry Values" section does not import correctly?

Edit:

I also tried to reinstall the second windows machine, but still not luck.

Get this bounty!!!

Posted on

#StackBounty: #windows #group-policy #local Apply local group policy objects to custom user group

Bounty: 50

Background

The scenario I am struggling with is the following: I have a standalone Windows 10 Enterprise system (not connected to any network / AD) which I want to configure with local group policies. The group policies should be different for different user groups. (User Groups: custom_admin, custom_user1, custom_user2)

Issue

What I have done so far is to create local GPOs for the machine via gpedit and GPOs for the "Admin" users via mmc (as shown here).

Now I want to also configure different GPOs for the custom_user1 and custom_user2 user groups, so that all users that will be created and assigned to these groups are restricted by these policies.

So far I have not been able to find a solution to this, but I suppose this has to be possible somehow. Is there any way to achieve this?

Edit:

I tried using the tool LGPO to export and import the policies. This works well for "administrators", and there is also a way to import specific policies to a certain user. But I can’t seem to find a way to import policies for a specific local user group.

Get this bounty!!!

Posted on

#StackBounty: #google-chrome #mac #python #group-policy How do I instantiate policies in Chrome on mac?

Bounty: 50

This is the set of policies that I want for my installation of Chrome (converted to json):

{
   "chromePolicies": {
      "BrowserAddPersonEnabled": {
         "level": "recommended",
         "scope": "machine",
         "source": "platform",
         "value": false
      },
      "BrowserGuestModeEnabled": {
         "level": "recommended",
         "scope": "machine",
         "source": "platform",
         "value": false
      },
      "ExtensionInstallForcelist": {
         "level": "mandatory",
         "scope": "machine",
         "source": "platform",
         "value": [ "pncfbmialoiaghdehhbnbhkkgmjanfhe", "mdnleldcmiljblolnjhpnblkcekpdkpa", "cjpalhdlnbpafiamejdnhcphjbkeiagm" ]
      }
   }
}

I’ve tried to instantiate these policies in a number of ways, including:

  1. Edited the com.google.Chrome.plist in /Library/Managed Preferences/Preferences
  2. Edited the com.google.Chrome.plist in /Library/Preferences
  3. Ran these commands:
defaults write com.google.Chrome BrowserAddPersonEnabled -bool false
defaults write com.google.Chrome BrowserGuestModeEnabled -bool false
defaults write com.google.Chrome ExtensionInstallForcelist -array 
  '{ pncfbmialoiaghdehhbnbhkkgmjanfhe; }' 
  '{ mdnleldcmiljblolnjhpnblkcekpdkpa; }' 
  '{ cjpalhdlnbpafiamejdnhcphjbkeiagm; }'
  1. Installed mcxToProfile and converted my policies file to a profile and then installed that profile on my Mac OS, according to these instructions. That was with this command: python mcxToProfile.py --plist /Library/Preferences/com.google.Chrome.plist --identifier com.google.Chrome

Every time I edit the policies, they fail to stick. They might appear in Chrome for the current session but they go away after I restart my computer (specifically the extension install forcelist).

Get this bounty!!!

Posted on

#StackBounty: #group-policy #audit #reboot Auditpol gets reset after rebooting

Bounty: 50

I have created a script that deletes a file and updates some advanced auditing settings using auditpol. However, whenever the computer gets reset, those auditpol changes get reset as well. Is there any way of preventing this? What could cause that to happen? After doing some extensive research, most if not all answers I found went down the path of deleting some audit.csv files in the system path which has some unintended consequences for me. Generally speaking, those deletions completely removed all of the auditpol settings all together. The main post that my search always led back to is here.

All I want is for my auditpol settings to persists. Otherwise, I will have to write a script to automatically apply those settings after every reboot which I certainly don’t want to have to do.

Another common fix to these types of problems I have seen is ensuring the registry setting to force advanced audit settings to override the legacy ones is enabled which it is. I don’t have any problems actually changing the advanced audit policy, just having it actually remain after rebooting

Get this bounty!!!

Posted on

#StackBounty: #windows-10 #group-policy #search-indexing Modifying Index Location is Disabled by a Policy

Bounty: 50

I have indexing setup on Windows 10 (build 18363.693) to include 4 different drives, and the index itself is stored on a separate drive.

enter image description here

I am attempting to set up the index to no longer be on this drive, and move to a different drive, however, I am running into one major roadblock. In the control panel, when I attempt to change the location of the index, I get the following error message:

enter image description here

I am on a personal machine, that should not have any group policy changed from default (as the machine is not domain bound), and I have not made any recent changes that should have enacted this policy to take effect.

What I find odd is that in the Windows Registry, the path to my current index shows as C:ProgramDataMicrosoftSearchNewData, even though the index is currently being stored on drive G:. Along with this, in control panel, the current location of the index is not shown:

enter image description here

What I have tried so far:

  • Resetting all policies in gpedit.msc back to default – meaning ‘Not configured’ and running gpupdate

  • My user account should be admin, but just in-case I opened control panel from an administrative shell – still no luck

I would appreciate any guidance, as the search index appears to no longer be functioning correctly, and as such, I cannot search windows in any way shape or form.

Get this bounty!!!

Posted on

#StackBounty: #windows #google-chrome #windows-registry #active-directory #group-policy enable Google Chrome policies otherwise only av…

Bounty: 50

There are a number of settings for Google Chrome which are applied as “policies”. Under the hood, these are registry entries, typically located at HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome. These policies are nominally designed to be enabled by Group Policy in an Active Directory environment (using ADM or ADMX files). Many of them work whether the computer is joined to a domain or not; presumably Chrome is just reading the registry value.

However, some policies only work when the computer is joined to Active Directory or “or Windows 10 Pro or Enterprise instances that enrolled for device management” (see link). Since the policy configuration values are ultimately just registry entries, then Chrome must be going out of its way to check if the computer is in Active Directory.

What I want to know, is there a way to deceive Chrome about the computer’s Active Directory membership, or some way to otherwise convince Chrome to honor these policies regardless?

Get this bounty!!!

Posted on

#StackBounty: #windows #group-policy #startup-scripts trigger a autologon from computer startup script

Bounty: 50

I am looking for a way, to automatically logon a User from computer startup script, without rebooting the machine. I know, I can write in HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon… Keys or use Sysinternals autologon.exe, but this all don’t work without a reboot.

OS: Windows >= 7

A while ago, I have seen a small until, who could do it. But I forgot about it and can’t find it again. Or maybe there is any other solution?

I think, it is only possible with a GINA plugin?

Get this bounty!!!

Posted on

#StackBounty: #windows #group-policy #windows-server-2016 #rdp Allow non-admin users RDP session "Sign off" rights on Windows…

Bounty: 50

Is there a way to allow a non admin user access to kill rogue RDP sessions on Windows Server 2016 using Group Policy? Our network consists of hundreds of 2016 and 2012r2 servers so we’re trying to do this with GP instead of individually on each server.

This post is related, only our servers do not have the RDSH role applied, and it seems this would need to be configured on each server individually.

enter image description here

Get this bounty!!!

Posted on

#StackBounty: #windows #windows-10 #sleep #hibernate #group-policy Windows 10 can't go to sleep. Sleet states S1-S3 are not available

Bounty: 50

I have a windows 10 desktop machine and I think that I disabled the “sleep” sometime in the past. However, now I want to enable it again and I just can’t figure out how to do it.

First of all. Windows doesn’t think that sleeping is an option at all. Only hibernation.

   C:Windowssystem32>powercfg /A
   The following sleep states are available on this system:
    Hibernate
    Fast Startup

The following sleep states are not available on this system:
    Standby (S1)
        The system firmware does not support this standby state.

    Standby (S2)
        The system firmware does not support this standby state.

    Standby (S3)
        The system firmware does not support this standby state.

    Standby (S0 Low Power Idle)
        The system firmware does not support this standby state.

    Hybrid Sleep
        Standby (S3) is not available.

I have checked the group policy, and it looks fine:

enter image description here

I’ve also checked the registry database, and as far as I can see it looks as it should:

The only thing I’ve changed here is that I’ve disabled RTCWAKE (bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d) because my computer was starting up in the middle of the night and not shutting down again. Which was pretty annoying.

enter image description here

As far as I can see there is nothing which is misconfigured in the BIOS, but I can of course be wrong.

Here is a link to my complete current setup: https://www.userbenchmark.com/UserRun/4352121

If anyone has any idea of why windows doesn’t think the various sleep states are available please let me know.

If it’s any help I have a weak memory of trying to disable the normal sleep sates using group policy. Perhaps there sis some other setting in there?

Thank you!

Get this bounty!!!