9 Replies Latest reply on Dec 5, 2014 7:39 AM by Manas P

    Remediation package behaving unexpectedly

      Hi Experts,

       

      I am trying to remediate enforce password history setting (windows2k8) but struggling to make it a success.

      complaint value for the setting:10

      Till now I have adopted below methods but failed to update effective settings value(not sure if this behavior is expected)

      Approach1:(BLPackage using live server object)

      Create a blpackage from live server object(original value set to 7) and modified it to 10 and then deployed the package.

       

      Approach2: commandline method

      BLPackage containing below command

       

      net accounts /uniquepw:10

       

      Both the above method only updates local setting value and effective setting value remains unchanged.

       

      Am I doing something wrong ?

       

      Regards,

      Manas

        • 1. Re: Remediation package behaving unexpectedly
          Bill Robinson

          If the setting is being passed down from a gpo from the domain, you can’t remediate that through bsa.  you would need to talk to your AD admin to have them update the gpo…

          • 2. Re: Remediation package behaving unexpectedly

            You mean to say if it does not belongs to any domain then i should be able to update value for both local and effective setting ?

             

            Also would you pls brief a bit what is the difference between local and effective setting. Becoz even if I update the value of the setting from GUI its only updating local setting value.

            • 3. Re: Remediation package behaving unexpectedly
              Bill Robinson

              Local means what the value is set to locally on the box.  effective means what the actual, in-effect value is.  effective is what you care about.  if you set the local value to something and there is no gpo, then the effective value should be the same as local.  If there is a gpo overriding then that would override the local value and be the effective value.

              1 of 1 people found this helpful
              • 4. Re: Remediation package behaving unexpectedly

                so can't we remediate these as a part of compliance check using BSA and we have only option left use of GPO ?

                In short remediation is not possible using BSA for settings like this(Password Policy setting). To update effective value GPO needs to be applied.

                 

                I have very little knowledge about security setting and GPO. Does appling GPO on a server changes local settings value or it only deals with effective settings value ?

                • 5. Re: Remediation package behaving unexpectedly
                  Bill Robinson

                  If the setting is delivered via a gpo, then no.  if the setting is not delivered via a gpo, then yes.

                  • 6. Re: Remediation package behaving unexpectedly
                    Joe Piotrowski

                    To reiterate what Bill said, and add a bit more.

                    The Local setting is what the current value is on the server. The Effective setting is what is being pushed by GPO policy. Or, if there is no GPO policy being applied, the Effective setting will default to whatever the Local setting is.

                     

                    If the values are different, that means the GPO Effective setting hasn't been applied yet (by a gpupdate or a reboot) or someone manually changed the Local setting. But a gpupdate or a reboot will change the Local setting to whatever the Effective setting is. The Effective setting is the master for lack of a better term.

                     

                    As Bill said, GPO policies are created and managed from your Microsoft Active Directory directory services.

                    Group Policy - Windows app development

                     

                    When I do Compliance checks on Security Settings I always check for both values. Sometimes there is a problem with a server getting policies applied properly and this is a good way to catch that.

                    1 of 1 people found this helpful
                    • 7. Re: Remediation package behaving unexpectedly

                      Thanks Bill and Joe. It helped me a lot. I was little worried after the deployment of the package. Even I tried using OOTB CIS WIN2k8 Component template but failed to update effective setting value.

                       

                      I have a quick question here?

                      For our server compliant value for the password history is >=10. Compliance check found that it was set to 7. We created remediation package using live server object option and deployed the package(Value was set to 10). Only local setting value changed to but leaving effective setting unchanged to 7.

                       

                      So what is the best recommended way of doing remediation for such settings related to GPO ?

                      Does applying GPO will modify value for both local and effective setting as per industry standard and no need to remediate using BSA?

                      Do we need to deploy the package to update local setting and ask AD admin to push GPO to update effective setting value ?

                       

                      Please suggest.

                      • 8. Re: Remediation package behaving unexpectedly
                        Bill Robinson

                        The gpo sets the effective setting, not the local setting.  if there is a gpo in place, then that will override the local setting.  if the box is removed from the domain, or the gpo is altered such that this setting is no longer defined, then the local setting would take effect.  So it may still be a good idea to push out the local settings in case one of those things happens.  so i’d still do both – deploy the local setting and get the AD admin to update the gpo.