none
LGPO.EXE v2.2 is not importing Advanced Audit Policies into Windows 10. RRS feed

  • Question

  • I have successfully used LGPO.EXE v1.0 to import policies in the past with Windows 7. I have always used the following command to export policies for implementation on other systems:

    C:\Policies\LPGO.EXE /b C:\Policies /n Standalone

    I would then copy the "Policies" directory to a new PC and use the following command to import the policies :

    C:\Policies\LPGO.EXE /g C:\Policies /v

    When I was using LGPO.EXE v1.0 and Windows 7, the advanced audit policies would apply. Now with v2.2 and Windows 10 they do not apply. Why are the advanced audit policies not applying? 

    Tuesday, July 25, 2017 8:39 PM

All replies

  • Hi Money,

    What's your output?

    Based on my test on Windows 10 1703 (build 15063.483) lab machines using your command, it works fine as below:

    You can see the audit policy is applied fine.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, July 26, 2017 3:16 AM
    Moderator
  • Hi Money,

    What's your output?

    Based on my test on Windows 10 1703 (build 15063.483) lab machines using your command, it works fine as below:

    You can see the audit policy is applied fine.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    I ran the following batch file (.cmd) on a test machine that already has the advanced audit policies applied:

    @Echo .
    @Echo ------  Applying Standalone Local Group Policy  -----
    @Echo .
    
    C:
    CD \!Policy\LGPO
    LGPO.exe /g .\ /v 
    Pause
    

    This is the output:

    .
    ------  Applying Standalone Local Group Policy  -----
    .
    
    C:\Windows\system32>C:
    
    C:\Windows\system32>CD \!Policy\LGPO
    
    C:\!Policy\LGPO>LGPO.exe /g .\ /v
    LGPO.exe v2.2 - Local Group Policy Object utility
    
    Audit policy directory exists
    Copied .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    to C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
    Clearing existing audit policy
    C:\Windows\system32\auditpol.exe /clear /y
    
    The command was successfully executed.
    
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------
    Apply Audit policy from .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    C:\Windows\system32\auditpol.exe /restore /file:".\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"
    
    The command was successfully executed.
    
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------
    Apply security template: .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
    ----------------------------------------------------------------------
    PROCESSING SECURITY TEMPLATE:  .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
    
    C:\Windows\system32\secedit.exe /configure /db "C:\Users\Admin\AppData\Local\Temp\GPT4C99.tmp" /cfg ".\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" /log "C:\Users\Admin\AppData\Local\Temp\GPT4C9A.tmp" /overwrite /quiet
    
    
    [[[ Security template log file output follows:  C:\Users\Admin\AppData\Local\Temp\GPT4C9A.tmp ]]]
    Completed 1 percent (0/63)      Process Privilege Rights area
    Completed 3 percent (1/63)      Process Privilege Rights area
    Completed 4 percent (2/63)      Process Privilege Rights area
    Completed 6 percent (3/63)      Process Privilege Rights area
    Completed 7 percent (4/63)      Process Privilege Rights area
    Completed 9 percent (5/63)      Process Privilege Rights area
    Completed 11 percent (6/63)     Process Privilege Rights area
    Completed 12 percent (7/63)     Process Privilege Rights area
    Completed 14 percent (8/63)     Process Privilege Rights area
    Completed 15 percent (9/63)     Process Privilege Rights area
    Completed 17 percent (10/63)    Process Privilege Rights area
    Completed 19 percent (11/63)    Process Privilege Rights area
    Completed 20 percent (12/63)    Process Privilege Rights area
    Completed 22 percent (13/63)    Process Privilege Rights area
    Completed 25 percent (15/63)    Process Privilege Rights area
    Completed 25 percent (15/63)    Process Group Membership area
    Completed 49 percent (30/63)    Process Group Membership area
    Completed 49 percent (30/63)    Process Registry Keys area
    Completed 49 percent (30/63)    Process File Security area
    Completed 49 percent (30/63)    Process Services area
    Completed 65 percent (40/63)    Process Services area
    Completed 73 percent (45/63)    Process Services area
    Completed 73 percent (45/63)    Process Security Policy area
    Completed 77 percent (48/63)    Process Security Policy area
    Completed 84 percent (52/63)    Process Security Policy area
    Completed 88 percent (55/63)    Process Security Policy area
    Completed 93 percent (58/63)    Process Security Policy area
    Completed 100 percent (63/63)   Process Security Policy area
    
    
    The task has completed successfully.
    
    SECEDIT.EXE exited with exit code 0
    ----------------------------------------------------------------------
    Import Machine settings from registry.pol: .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\registry.pol
    ; ----------------------------------------------------------------------
    ; PROCESSING Computer POLICY
    ; Source file:  .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\Machine\registry.pol
    
    Computer
    Software\Classes\batfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\cmdfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\exefile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\mscfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Microsoft\wcmsvc\wifinetworkmanager\config
    AutoConnectAllowedOEM
    DWORD:0
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\CredUI
    EnumerateAdministrators
    DWORD:0
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoAutorun
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
    DWORD:255
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoStartBanner
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoWebServices
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableAutomaticRestartSignOn
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System
    MSAOptional
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
    ProcessCreationIncludeCmdLine_Enabled
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Biometrics\FacialFeatures
    EnhancedAntiSpoofing
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    DeepHooks
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    AntiDetours
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    BannedFunctions
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    ExploitAction
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\Internet Explorer\Feeds
    DisableEnclosureDownload
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\PassportForWork\PINComplexity
    MinimumPINLength
    DWORD:6
    
    Computer
    Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
    DCSettingIndex
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
    ACSettingIndex
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\AppCompat
    DisableInventory
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\CloudContent
    DisableWindowsConsumerFeatures
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\DataCollection
    AllowTelemetry
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\DeliveryOptimization
    DODownloadMode
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\Application
    MaxSize
    DWORD:32768
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\Security
    MaxSize
    DWORD:196608
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\System
    MaxSize
    DWORD:32768
    
    Computer
    Software\Policies\Microsoft\Windows\Explorer
    NoAutoplayfornonVolume
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
    NoBackgroundPolicy
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
    NoGPOListChanges
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Installer
    EnableUserControl
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\LanmanWorkstation
    AllowInsecureGuestAuth
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Network Connections
    NC_ShowSharedAccessUI
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\OneDrive
    DisableFileSyncNGSC
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Personalization
    NoLockScreenSlideshow
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    EnableScriptBlockLogging
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    EnableScriptBlockInvocationLogging
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows\System
    DontDisplayNetworkSelectionUI
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\System
    AllowDomainPINLogon
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\System
    EnableSmartScreen
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy
    fBlockNonDomain
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Windows Search
    AllowIndexingEncryptedStoresOrItems
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowBasic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowUnencryptedTraffic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowDigest
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    AllowBasic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    AllowUnencryptedTraffic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    DisableRunAs
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\MitigationOptions
    MitigationOptions_FontBocking
    SZ:1000000000000
    
    Computer
    Software\Policies\Microsoft\Windows NT\Printers
    DisableWebPnPDownload
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Printers
    DisableHTTPPrinting
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Rpc
    RestrictRemoteClients
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fAllowToGetHelp
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fAllowFullControl
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MaxTicketExpiry
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MaxTicketExpiryUnits
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fUseMailto
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    DisablePasswordSaving
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fDisableCdm
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fPromptForPassword
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fEncryptRPCTraffic
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MinEncryptionLevel
    DWORD:3
    
    Computer
    System\CurrentControlSet\Control\SecurityProviders\WDigest
    UseLogonCredential
    DWORD:0
    
    Computer
    System\CurrentControlSet\Services\Netbt\Parameters
    NoNameReleaseOnDemand
    DWORD:1
    
    Computer
    System\CurrentControlSet\Services\Tcpip\Parameters
    DisableIPSourceRouting
    DWORD:2
    
    Computer
    System\CurrentControlSet\Services\Tcpip\Parameters
    EnableICMPRedirect
    DWORD:0
    
    Computer
    System\CurrentControlSet\Services\Tcpip6\Parameters
    DisableIPSourceRouting
    DWORD:2
    
    ; Computer POLICY SAVED.
    ; ----------------------------------------------------------------------
    
    Import User settings from registry.pol: .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\User\registry.pol
    ; ----------------------------------------------------------------------
    ; PROCESSING User POLICY
    ; Source file:  .\{08AEFA7D-51D4-45DF-B17F-97A1575455B8}\DomainSysvol\GPO\User\registry.pol
    
    ; User POLICY SAVED.
    ; ----------------------------------------------------------------------
    
    Audit policy directory exists
    Copied .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    to C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
    Clearing existing audit policy
    C:\Windows\system32\auditpol.exe /clear /y
    
    The command was successfully executed.
    
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------
    Apply Audit policy from .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
    C:\Windows\system32\auditpol.exe /restore /file:".\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"
    
    Error 0x0000000D occurred:
    The data is invalid.
    
    
    AUDITPOL.EXE exited with exit code 13
    ----------------------------------------------------------------------
    Import Machine settings from registry.pol: .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\Machine\registry.pol
    ; ----------------------------------------------------------------------
    ; PROCESSING Computer POLICY
    ; Source file:  .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\Machine\registry.pol
    
    Computer
    Software\Classes\batfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\cmdfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\exefile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Classes\mscfile\shell\runasuser
    SuppressionPolicy
    DWORD:4096
    
    Computer
    Software\Microsoft\wcmsvc\wifinetworkmanager\config
    AutoConnectAllowedOEM
    DWORD:0
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\CredUI
    EnumerateAdministrators
    DWORD:0
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoAutorun
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
    DWORD:255
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoStartBanner
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoWebServices
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableAutomaticRestartSignOn
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System
    MSAOptional
    DWORD:1
    
    Computer
    Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
    ProcessCreationIncludeCmdLine_Enabled
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Biometrics\FacialFeatures
    EnhancedAntiSpoofing
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    DeepHooks
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    AntiDetours
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    BannedFunctions
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\EMET\SysSettings
    ExploitAction
    DWORD:2
    
    Computer
    Software\Policies\Microsoft\Internet Explorer\Feeds
    DisableEnclosureDownload
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\PassportForWork\PINComplexity
    MinimumPINLength
    DWORD:6
    
    Computer
    Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
    DCSettingIndex
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
    ACSettingIndex
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\AppCompat
    DisableInventory
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\CloudContent
    DisableWindowsConsumerFeatures
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\DataCollection
    AllowTelemetry
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\DeliveryOptimization
    DODownloadMode
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\Application
    MaxSize
    DWORD:32768
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\Security
    MaxSize
    DWORD:196608
    
    Computer
    Software\Policies\Microsoft\Windows\EventLog\System
    MaxSize
    DWORD:32768
    
    Computer
    Software\Policies\Microsoft\Windows\Explorer
    NoAutoplayfornonVolume
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
    NoBackgroundPolicy
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
    NoGPOListChanges
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Installer
    EnableUserControl
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\LanmanWorkstation
    AllowInsecureGuestAuth
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\Network Connections
    NC_ShowSharedAccessUI
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\OneDrive
    DisableFileSyncNGSC
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Personalization
    NoLockScreenSlideshow
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    EnableScriptBlockLogging
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    EnableScriptBlockInvocationLogging
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows\System
    DontDisplayNetworkSelectionUI
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\System
    AllowDomainPINLogon
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\System
    EnableSmartScreen
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy
    fBlockNonDomain
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows\Windows Search
    AllowIndexingEncryptedStoresOrItems
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowBasic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowUnencryptedTraffic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Client
    AllowDigest
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    AllowBasic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    AllowUnencryptedTraffic
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows\WinRM\Service
    DisableRunAs
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\MitigationOptions
    MitigationOptions_FontBocking
    SZ:1000000000000
    
    Computer
    Software\Policies\Microsoft\Windows NT\Printers
    DisableWebPnPDownload
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Printers
    DisableHTTPPrinting
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Rpc
    RestrictRemoteClients
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fAllowToGetHelp
    DWORD:0
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fAllowFullControl
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MaxTicketExpiry
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MaxTicketExpiryUnits
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fUseMailto
    DELETE
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    DisablePasswordSaving
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fDisableCdm
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fPromptForPassword
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    fEncryptRPCTraffic
    DWORD:1
    
    Computer
    Software\Policies\Microsoft\Windows NT\Terminal Services
    MinEncryptionLevel
    DWORD:3
    
    Computer
    System\CurrentControlSet\Control\SecurityProviders\WDigest
    UseLogonCredential
    DWORD:0
    
    Computer
    System\CurrentControlSet\Services\Netbt\Parameters
    NoNameReleaseOnDemand
    DWORD:1
    
    Computer
    System\CurrentControlSet\Services\Tcpip\Parameters
    DisableIPSourceRouting
    DWORD:2
    
    Computer
    System\CurrentControlSet\Services\Tcpip\Parameters
    EnableICMPRedirect
    DWORD:0
    
    Computer
    System\CurrentControlSet\Services\Tcpip6\Parameters
    DisableIPSourceRouting
    DWORD:2
    
    ; Computer POLICY SAVED.
    ; ----------------------------------------------------------------------
    
    Import User settings from registry.pol: .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\User\registry.pol
    ; ----------------------------------------------------------------------
    ; PROCESSING User POLICY
    ; Source file:  .\{37220A3A-1426-4DF5-92FB-81225D95DCEB}\DomainSysvol\GPO\User\registry.pol
    
    ; User POLICY SAVED.
    ; ----------------------------------------------------------------------
    
    
    C:\!Policy\LGPO>Pause
    Press any key to continue . . .

    I am going to run the same batch file on a clean PC and see if there is any difference, and then I will post the results.

    The version of Windows that I am using is Windows 10 Enterprise 2016 LTSB (ver 10.0.14393).

    Wednesday, July 26, 2017 4:11 PM
  • I applied the policies to a clean PC and used Beyond Compare to check the differences between the two output files.  There were only three lines that were different.  One that said "Created directory for audit policy" instead of "Audit policy directory exists".  The other two referenced a temp file with a random name in "C:\Users\Admin\Local\Temp".  So essentially there is no difference in the output.
    Wednesday, July 26, 2017 5:01 PM
  • Today I tried another test.  I manually applied one of the advanced audit policies.  I then ran my batch file to apply the policies.  All of the policies, except the advanced audit policies got applied.  The one policy that I manually applied got removed.  Interesting.
    Thursday, July 27, 2017 9:05 PM
  • Hi money,

    What if you only apply the audit policy via running command:

    LGPO.exe /a path autit.csv

    or

    LGPO.exe /ac path audit.csv

    Note: /ac to clear policy first.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 28, 2017 9:31 AM
    Moderator
  • Hi money,

    What if you only apply the audit policy via running command:

    LGPO.exe /a path autit.csv

    or

    LGPO.exe /ac path audit.csv

    Note: /ac to clear policy first.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks for the input.  This helped me find a solution, but it still leaves some questions as to why this problem happened in the first place.  When I backed up the original policies, LGPO created two directories ({08AEFA7D-51D4-45DF-B17F-97A1575455B8} and {37220A3A-1426-4DF5-92FB-81225D95DCEB}).  These directories each have the same directory structure according to tree.com, and the same creation dates and times.  They were created with a single LGPO command (C:\Policies\LPGO.EXE /b C:\Policies /n Standalone).  Each directory had its own audit.csv file, yet the CSV file in {37220A3A-1426-4DF5-92FB-81225D95DCEB} was 0k in size, so it has no policies, while the first one is 5k in size.  The policies successfully got applied by the first audit.csv, but removed when the second one was applied.  Why does LGPO do this?
    Monday, July 31, 2017 8:51 PM
  • When I backed up the original policies, LGPO created two directories ({08AEFA7D-51D4-45DF-B17F-97A1575455B8} and {37220A3A-1426-4DF5-92FB-81225D95DCEB}).  These directories each have the same directory structure according to tree.com, and the same creation dates and times.  They were created with a single LGPO command (C:\Policies\LPGO.EXE /b C:\Policies /n Standalone)

    That's really strange. What's your Windows build?

    Please confirm you obtain the LGPO.exe from the following official webpage:

    Microsoft Security Compliance Toolkit 1.0

    https://www.microsoft.com/en-us/download/details.aspx?id=55319

    I used the following command you provided only get one GP as expected.

    C:\Policies\LPGO.EXE /b C:\Policies /n Standalone

    I suggest you try it again to see if it still generated two GUID.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 1, 2017 9:53 AM
    Moderator