Forum Discussion
Policy Analyzer showing incorrect values
Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer.
As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1.
I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.
- In that Policy Analyzer window, enable Options \ Show GPO names and files in Details pane.
That will tell you exactly what files contain the settings being displayed. Find the GptTmpl.inf files corresponding to the settings that appear to be wrong.I found the GptTmpl.inf for those two policy settings and it displays this -
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0What am I supposed to do with this information?
d_irving Well, it's showing that Policy Analyzer is correctly rendering the GPOs you backed up.
The syntax for the [Registry Values] part of the security template is:
key\valuename=type,datatype 4 is REG_DWORD, and it's set to 0, which is what Policy Analyzer is reporting.
Are you certain that the GPOs you're backing up and importing into Policy Analyzer are the same ones that you're looking at on the right-hand side of the screenshot you posted?
