search

microsoft / BaselineManagement

Conversion tool used to Convert Group Policy baselines into DSC
MIT License
266 stars 52 forks source link

RegistryPolicyFile values created by ConvertFrom-GPO break GPO processing #64

Open AndrevdG opened 2 years ago

AndrevdG commented 2 years ago

When converting a group policy to DSC register values are converted to 'RegisterPolicyFile' values, like for instance:

RegistryPolicyFile 'Registry(POL): HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators'
{
  Key = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI'
  ValueData = 0
  TargetType = 'ComputerConfiguration'
  ValueType = 'Dword'
  ValueName = 'EnumerateAdministrators'
}

After the mof file is created and applied, group policy fails with a registry error: The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Sadly eventlog does not seem to indicate any useable information as to what the issue was, but after enabling debug logging for group policy I found the following error(s) in de debug log:

GPSVC(5b8.fb8) 12:12:32:689 AddPolicyPermissionOnKey: Setting permission on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetPolicyOwnerOnKey: Setting owner on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 AddPolicyPermissionOnKey: Setting permission on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetPolicyOwnerOnKey: Setting owner on reg key on <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI>.
GPSVC(5b8.fb8) 12:12:32:689 SetRegistryValue: Failed to open key <HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI> with 87
GPSVC(5b8.fb8) 12:12:32:689 ParseRegistryFile: Callback function returned false.

In the same log I also noticed that other register paths are displayed differently, for instance:

GPSVC(5b8.fb8) 12:12:32:678 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\Microsoft\Windows\CurrentVersion\Policies>.

Based on this I suspected that considering the registry.pol file the settings are added to by 'RegistryPolicyFile ' are already aimed at Machine or User level, only the subpath is contained within the file.

If I manually change the exported register files to omit 'HKLM:\' from the 'Key' value then the resulting mof file seems to apply correctly. So:

RegistryPolicyFile 'Registry(POL): HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators'
{
  Key = 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI'
  ValueData = 0
  TargetType = 'ComputerConfiguration'
  ValueType = 'Dword'
  ValueName = 'EnumerateAdministrators'
}

does work, policy processing runs without error and no longer an error is logged in the debug logging (and more importantly, the register key/value is created)

avijayanand-star commented 2 years ago

I had this same issue now, and I did what AndrevdG had done, by removing the HIVE shortnotation HKLM: from Key value and I expect the 

 RefreshRegistryPolicy 'ActivateClientSideExtension'
         {
             IsSingleInstance = 'Yes'
         }

block should automatically call the gpupdate to refresh the registry.pol file but that did not happen. I had to manually run gpupdate /force and the settings/changes happened and saw the result.

Only gpupdate /force is creating the registry key and setting the value but not alone using gpupdate. I guess gpupdate /force overwrites existing values irrespective of the same policy, being applied earlier or not. RefreshRegistryPolicy need to be updated to invoke gpupdate/force.

rahul8062 commented 2 years ago

Hi Andrew/Vijay,

I have configured local group policy, exported them locally on the server using the LGPO command and converted to DSC using the command "ConvertFrom-GPO -Path '.\Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline\GPOs\' -OutputConfigurationScript"

The command gets executed with the following error and i see a PS1 file created locally and contains policies with "RegistryPolicyFile 'Registry(POL): "

Error:

Write-DSCString : The Write-DSCString command was called but the parameters block is missing a property name

At C:\Program Files\WindowsPowerShell\Modules\BaselineManagement\4.1.1\Parsers\GPO\Registry.ps1:360 char:5

When I try to run the same below listed policy on a different standalone server, i get to see an error "RegistryPolicyFile : The term 'egistryPolicyFile' is not recognized ". Could you please suggest how can i fix this and run on a single new server

Policy :

RegistryPolicyFile 'Registry(POL): HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators' { Key = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI' ValueData = 0 TargetType = 'ComputerConfiguration' ValueType = 'Dword' ValueName = 'EnumerateAdministrators' }

Error :

RegistryPolicyFile : The term 'egistryPolicyFile' is not recognized as the name of a cmdlet, function, script file, or operable

program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:1

Appreciate any leads. Thank you.

AndrevdG commented 2 years ago

@rahul8062 I think you would be best of creating a new issue/question related to your problem as, as far as I can see, it is not related to the original post.

That being said, based on the information provided the thing that stands out to me is your error message:

RegistryPolicyFile : The term 'egistryPolicyFile' is not recognized as the name of a cmdlet, function, script file, or operable program.

My guess is that either you made a spelling error (forgetting the 'R' somewhere) or potentially you copy/pasted the contents from somewhere and there is some control character embedded. In that case I would suggest copying the content of the file to notepad and checking if there are no extraneous characters. Other than that I am not sure what is happening for you.

CDIJLR commented 2 years ago

I am experiencing the same issue as AndrevdG and avijayanand-star. Applying the generated DSC configuration as is breaks group policy. If I remove the hive notation from the "Key =" sections of the localhost.mof, the DSC applies without issue.

Was any cause/solution to this situation determined?