search

microsoft / BaselineManagement

Conversion tool used to Convert Group Policy baselines into DSC
MIT License
266 stars 52 forks source link

Trying to convert Microsoft Compliance toolkit 2019 GPO #62

Open bodysoda opened 3 years ago

bodysoda commented 3 years ago

I'm getting the following error when I'm tying to convert the GPO to DCS from gpo backed folders. These GPO are out of the box plus the GPO imported from Microsoft Compliance toolkit. Any help are appreciated. 

VERBOSE: DSCFromGPO -OutputPath 'C:\ALLibraries\ConvertedGPOtoDSC'
VERBOSE: Output configuration script to C:\ALLibraries\ConvertedGPOtoDSC\DSCFromGPO.ps1
VERBOSE: Populating RepositorySourceLocation property for module GPRegistryPolicyDsc.
VERBOSE: Populating RepositorySourceLocation property for module AuditPolicyDsc.
VERBOSE: Populating RepositorySourceLocation property for module SecurityPolicyDsc.
Write-NodeMOFFile : Invalid MOF definition for node 'localhost': Exception calling "ValidateInstanceText" with "1"
argument(s): "Convert property 'Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM' value from type
'STRING[]' to type 'INSTANCE[]' failed
 At line:2476, char:2
 Buffer:
ame = "DSCFromGPO";
};^
insta
"
At
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2369
char:21
+ ...             Write-NodeMOFFile $Name $mofNode $Script:NodeInstanceAlia ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile
Compilation errors occurred while processing configuration 'DSCFromGPO'. Please review the errors reported in error
stream and modify your configuration code appropriately.
At
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917
char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (DSCFromGPO:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration
mzarglis commented 2 years ago

Seeing the same issue with the Microsoft Compliance toolkit win10 1909

Did you happen to find a solution / workaround?

Edit:

Removing MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM

Allows the conversion to succeed

FLeven commented 2 years ago

Still the same with Windows 11 Baselines, I also deleted "MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM=1,"O:BAG:BAD:(A;;RC;;;BA)"" from "Windows11-Security-Baseline-FINAL\GPOs{9FE25A81-CB6B-4F76-B9D2-147E9BED9A06}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"