Aug 08 2022 11:13 AM
Today I created a backup of my group policy objects and compared them to Microsoft's baselines. But, the GPO backup seems to be displaying the wrong values in Policy Analyzer.
As seen in this picture on the left, the Policy Setting RestrictAnonymous and RestrictAnonymousSam are set to 0 according to my GPO backup. Both of these say the Default Domain Policy are setting them to 0. But when I open up the Default Domain Policy on the right, you can see that these values are both set to 1.
I have tried three times now to backup and re import the GPO into the policy analyzer, but the values are still appearing incorrectly. These are not the only values that this is happening too. I noticed some of the values are grayed out, when they actually have been set.
Aug 08 2022 02:26 PM
Aug 09 2022 04:41 AM
I found the GptTmpl.inf for those two policy settings and it displays this -
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0
What am I supposed to do with this information?
Aug 09 2022 06:41 AM
@d_irving Well, it's showing that Policy Analyzer is correctly rendering the GPOs you backed up.
The syntax for the [Registry Values] part of the security template is:
key\valuename=type,data
type 4 is REG_DWORD, and it's set to 0, which is what Policy Analyzer is reporting.
Are you certain that the GPOs you're backing up and importing into Policy Analyzer are the same ones that you're looking at on the right-hand side of the screenshot you posted?
Aug 09 2022 06:47 AM
Aug 09 2022 07:01 AM
Aug 09 2022 07:03 AM
Aug 09 2022 07:11 AM
Aug 09 2022 08:06 AM
Aug 09 2022 08:25 AM
@d_irving : I don't have an answer. But one thing I noticed from your original screenshot is that you seem to have two GPOs called "Default Domain Policy."
Aug 09 2022 08:30 AM
Aug 09 2022 10:50 AM - edited Aug 09 2022 10:51 AM
You might have imported multiple copies of the backups, or imported it multiple times.
Aug 09 2022 11:16 AM