Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Deleted

Deleted
Not applicable

Deleted

32 Replies

@Deleted I have the exactly the same problem, might be a non US language problem ? I also run PA 4.0 on DE systems.

The reported line differs between client and server and I am missing the effective state of all audit policys if I ignore the error message.

@FLeven and @bennn2806 : at what point does this happen? What are you doing when the error message appears?  

Compare to effektiv state, after the Username / Password I get the error.

@FLeven - I'm trying to repro but haven't been able to. I don't see "EntityName" anywhere, so I think it's something specific to your report. Can you send me a private message through here with the .PolicyRules report attached?

@Deleted 

 

It is a a problem with the GPOs on the local system, I managed to run "Compare to effective state" on a non domain joined machine, but it will not work on a domain joined machine in the "Computers" OU, where the Default Domain Policy is applied.

Also it will work if I choose a simple GPO without Sec or Autit policys.

I am using the "MSFT-Win10-WS-v1809-FINAL.PolicyRules" shipped with PA 4.

 

As you can see the effictive state of the Audit Policy entry's are empty, because it failed to compare them for whatever reason.

 

I did some cleanup of my local auditpols etc. but no dice.

 

report.PNG

 

EntityName.PNG

@FLeven Look in your user account's %TEMP% directory and see whether it leaves behind any temporary files. If so, what's in them?

Empty, already checked the folder and tried to Grab the tmp File that will be created by PA when IT Starts to build the Policy File, but it IS only available for a second and I was not able to get a Copy of it.

@FLeven 

I checked the 4 tmp files, but there is nothing special to find in them and I am not able to relate to the line mentioned in the error.

The files contain autditpol / secedit reports, a file with the two lines starting the reports and another file with some settings.  

German special characters are not displayed well.

@FLeven Can you post those tmp files here, or send to me in a private message through this site?

@Deleted 

@FLeven Hmm, odd. The XML file in that set isn't complete, and none of the files have as many lines as the error message indicates it should have: the error message says the error happens on a line that's not in any of those files.

myself earlier: "I am not able to relate to the line mentioned in the error"

@Deleted 

Dear all,

 

I have still the same problem with the Policy Analyzer and I have the current version installed: v4.0.2004.13001.

Is there something planned to fix the issue?

 

Here is a small overview of what is working and what not:

<AuditSubcategory>: not working, get the error and no results

<Computerconfig>: works

<Userconfig>: works 

<SecurityTemplate>: get again that error, the registry values are getting checked but Privilege Rights not

 

As read in the other comments I also checked the %TEMP% folder for log files to get more information but could not find any. 

 

I have russian Windows. Policy Analyzer - current version installed: v4.0.2004.13001.

When I load current state in Policy Analyzer or from LGPO`s backup I have error in PolicyRulesFileBuilder.exe "Unexpected format in Audit CSV file".

GUID {0CCE9228-69AE-11D9-BED3-505054503030} and GUID {0CCE9229-69AE-11D9-BED3-505054503030} have comma in subcategory column. Parcing is broken.

When I delete this GUIDs from "Audit.CSV" loading is normal.

@Tsitan - could you please send an audit.csv that triggers the problem?

auditpol.exe /backup /file:pathtofile

Thanks.

@Deleted 

For example. Lines 33 and 34.

 

@Tsitan - yeah, the file doesn't have a byte order marker and it's not clear that it's being written out correctly. Lines 33 and 34 contain one more byte that gets interpreted as a comma (0x2C) than expected. Does it work correctly if you import the file into Excel or anything else on your system?

@Deleted 

It`s comma.

Excel has shift.

@Tsitan - so the subcategory name has a comma in it when it's translated into Russian? Does it have a comma in the UI in Local Security Settings (secpol.msc)?

Thanks.