Open danjoneslf opened 3 years ago
I've found an error applying the GPO.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={017B1AD8-98EF-4D63-B4E3-62E8242D5B10},cn=policies,cn=system,DC=cdio-windows-sandbox-staging,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
User Policy update has completed successfully.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Unfortunately the GPRESULT /H GPReport.html
fails saying the parameters are invalid and the help for GPRESULT
uses exactly those params as its example!
The GPO backups are full of non-printable null characters. I might try removing those. I guess the next plan is to try to create and backup a GPO manually.
Notes for Monday:
Check if there's anything I've not tried on here: http://tutorial.programming4.us/windows_7/forwarding-events-(part-2)---how-to-troubleshoot-event-forwarding---how-to-configure-event-forwarding-in-workgroup-environments.aspx
To note:
wecutil gr 'DNS Client'
shows that subscription is active and has not erroredwevtutil get-log security
shows that it is enabled, and does contain the SID for Event Log Viewers, so no issues therePlan is to pause this and pick it up later. We can still get the pipeline working validating that events are arriving from the WEC in the first instance and then iterate to improve it maybe when Ollie's back or maybe with some help from Krish. I've already tapped up Mo for how they setup the one in Defence. It's slightly different because they didn't do it in code and are using Windows Server 2019 - We're using Windows Server 2016 to match the current Official IT Platform.
Time booked with Ollie to debug this on Friday afternoon
Currently we are only getting logs into Splunk from the WEC instance We're not getting any events from the DC
wecutil gr security
)Test-NetConnection WSWEC01.cdio-windows-sandbox-staging.com -port 5985
)gpupdate /force
) (failed)Restart-Computer -Force
) (failed)eventcreate /t error /id 100 /l application /d "Custom event in application log"
winlogon.log
(doesn't exist)dcgpofix /ignoreschema
(failed)GPRESULT /H GPReport.html
withGPRESULT /x GPReport.xml
(produces output but with no errors)gpresult /r
says it's appliedevt_dns_name
ininputs.conf
to the domain (failed)winrm set winrm/config/client '@{TrustedHosts="WSWEC01"}'
) (failed)Invoke-Command -ComputerName WSWEC01.$env:DOMAIN -ScriptBlock {1}
) (passed)Add-ADGroupMember -Identity "Event Log Readers" -Members wecserver
) (failed)turning it off and on again (x1000)
(failed)netsh http show urlacl
New-NetFirewallRule -DisplayName "Allow TCP RPC local subnet" -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 135,137,139 -RemoteAddress LocalSubnet
) (failed)