Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Policy Analyzer showing incorrect values

Copper Contributor

Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer.

 

gpos.PNG

 

As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1.

 

I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.

 

12 Replies
In that Policy Analyzer window, enable Options \ Show GPO names and files in Details pane.
That will tell you exactly what files contain the settings being displayed. Find the GptTmpl.inf files corresponding to the settings that appear to be wrong.

@AaronMargosis_Tanium 

I found the GptTmpl.inf for those two policy settings and it displays this -

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0

 

What am I supposed to do with this information?

@d_irving Well, it's showing that Policy Analyzer is correctly rendering the GPOs you backed up.
The syntax for the [Registry Values] part of the security template is:
key\valuename=type,data

type 4 is REG_DWORD, and it's set to 0, which is what Policy Analyzer is reporting.

 

Are you certain that the GPOs you're backing up and importing into Policy Analyzer are the same ones that you're looking at on the right-hand side of the screenshot you posted?

Yes, I backed up all the GPO's and put them into the policy analyzer.

The policy analyzer shows the setting is from the Default Domain Policy, but the Default Domain Policy is shown on the right with different settings.
The discrepancy is between the GPO backup and the GPO you're displaying. Policy Analyzer is interpreting the backup correctly.
So the question is, why is the GPO backup wrong?
Perhaps start over and double-check the entire process:
1. Are you sure you're backing up the correct GPO(s)?
2. Are you sure you're importing the correct backup(s) into Policy Analyzer, and no other backups?
Okay, I started over. I'll explain step by step what I did.

Right clicked on Group Policy Objects in Group Policy Management > Back Up All
All GPOs successfully backed up

Copied the GPOs to a network folder and then to my device

Opened up Policy Analyzer > Add and then File > Add files from GPO(s)

Then clicked Import to save the .policyrules

Afterwards I selected that policy along with the MSFT baseline and clicked view/compare.
I'm still getting the exact same results

@d_irving : I don't have an answer. But one thing I noticed from your original screenshot is that you seem to have two GPOs called "Default Domain Policy." 

Untitled.png

Huh, I'm not sure why it says that. I went and looked in the Group Policy Objects, there is only one Default Domain Policy. I appreciate your help.

You might have imported multiple copies of the backups, or imported it multiple times.

Nope, I've done this four different times now and have not made copies or imported it multiple times.