trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Chris Long
2017-12-11 08:49:25 -08:00
commit 1577341ce9
157 changed files with 5271 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
+1
View File
@@ -0,0 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml
+20
View File
@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1703962]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
+3
View File
@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="7" changed="2017-07-26 04:57:18" uid="{D232208A-0CBB-4FA1-BE41-D8A402116908}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_SZ" value="0"/></Registry>
</RegistrySettings>
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx
+12
View File
@@ -0,0 +1,12 @@
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
+38
View File
@@ -0,0 +1,38 @@
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Distribution Group Management,{0cce9238-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Detailed Directory Service Replication,{0cce923e-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Directory Service Replication,{0cce923d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
1 Machine Name Policy Target Subcategory Subcategory GUID Inclusion Setting Exclusion Setting Setting Value
2 System Audit Credential Validation {0cce923f-69ae-11d9-bed3-505054503030} Success and Failure 3
3 System Audit Kerberos Authentication Service {0cce9242-69ae-11d9-bed3-505054503030} Success and Failure 3
4 System Audit Kerberos Service Ticket Operations {0cce9240-69ae-11d9-bed3-505054503030} Success and Failure 3
5 System Audit Other Account Logon Events {0cce9241-69ae-11d9-bed3-505054503030} Success and Failure 3
6 System Audit Computer Account Management {0cce9236-69ae-11d9-bed3-505054503030} Success and Failure 3
7 System Audit Distribution Group Management {0cce9238-69ae-11d9-bed3-505054503030} Success and Failure 3
8 System Audit Other Account Management Events {0cce923a-69ae-11d9-bed3-505054503030} Success and Failure 3
9 System Audit Security Group Management {0cce9237-69ae-11d9-bed3-505054503030} Success and Failure 3
10 System Audit User Account Management {0cce9235-69ae-11d9-bed3-505054503030} Success and Failure 3
11 System Audit DPAPI Activity {0cce922d-69ae-11d9-bed3-505054503030} Success and Failure 3
12 System Audit PNP Activity {0cce9248-69ae-11d9-bed3-505054503030} Success and Failure 3
13 System Audit Process Creation {0cce922b-69ae-11d9-bed3-505054503030} Success and Failure 3
14 System Audit Process Termination {0cce922c-69ae-11d9-bed3-505054503030} Success and Failure 3
15 System Audit Detailed Directory Service Replication {0cce923e-69ae-11d9-bed3-505054503030} Success and Failure 3
16 System Audit Directory Service Access {0cce923b-69ae-11d9-bed3-505054503030} Success and Failure 3
17 System Audit Directory Service Changes {0cce923c-69ae-11d9-bed3-505054503030} Success and Failure 3
18 System Audit Directory Service Replication {0cce923d-69ae-11d9-bed3-505054503030} Success and Failure 3
19 System Audit Account Lockout {0cce9217-69ae-11d9-bed3-505054503030} Success and Failure 3
20 System Audit User / Device Claims {0cce9247-69ae-11d9-bed3-505054503030} Success and Failure 3
21 System Audit Group Membership {0cce9249-69ae-11d9-bed3-505054503030} Success and Failure 3
22 System Audit Logoff {0cce9216-69ae-11d9-bed3-505054503030} Success and Failure 3
23 System Audit Logon {0cce9215-69ae-11d9-bed3-505054503030} Success and Failure 3
24 System Audit Other Logon/Logoff Events {0cce921c-69ae-11d9-bed3-505054503030} Success and Failure 3
25 System Audit Special Logon {0cce921b-69ae-11d9-bed3-505054503030} Success and Failure 3
26 System Audit Detailed File Share {0cce9244-69ae-11d9-bed3-505054503030} Failure 2
27 System Audit File Share {0cce9224-69ae-11d9-bed3-505054503030} Success and Failure 3
28 System Audit File System {0cce921d-69ae-11d9-bed3-505054503030} Success and Failure 3
29 System Audit Filtering Platform Connection {0cce9226-69ae-11d9-bed3-505054503030} Failure 2
30 System Audit Kernel Object {0cce921f-69ae-11d9-bed3-505054503030} Success and Failure 3
31 System Audit Removable Storage {0cce9245-69ae-11d9-bed3-505054503030} Success 1
32 System Audit Audit Policy Change {0cce922f-69ae-11d9-bed3-505054503030} Success and Failure 3
33 System Audit Authentication Policy Change {0cce9230-69ae-11d9-bed3-505054503030} Success and Failure 3
34 System Audit MPSSVC Rule-Level Policy Change {0cce9232-69ae-11d9-bed3-505054503030} Success 1
35 System Audit IPsec Driver {0cce9213-69ae-11d9-bed3-505054503030} Success and Failure 3
36 System Audit Security State Change {0cce9210-69ae-11d9-bed3-505054503030} Success and Failure 3
37 System Audit Security System Extension {0cce9211-69ae-11d9-bed3-505054503030} Success and Failure 3
38 System Audit System Integrity {0cce9212-69ae-11d9-bed3-505054503030} Success and Failure 3
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/manifest.xml
+1
View File
@@ -0,0 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/Backup.xml
+20
View File
@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Servers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1376277]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Services" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Services" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Services"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
+3
View File
@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" changed="2017-03-28 20:28:29" uid="{7E71B8A5-03A7-456C-9CC9-941C1045C0E1}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry>
</RegistrySettings>
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/comment.cmtx
+12
View File
@@ -0,0 +1,12 @@
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
+33
View File
@@ -0,0 +1,33 @@
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
1 Machine Name Policy Target Subcategory Subcategory GUID Inclusion Setting Exclusion Setting Setting Value
2 System Audit Credential Validation {0cce923f-69ae-11d9-bed3-505054503030} Success and Failure 3
3 System Audit Other Account Logon Events {0cce9241-69ae-11d9-bed3-505054503030} Success and Failure 3
4 System Audit Security Group Management {0cce9237-69ae-11d9-bed3-505054503030} Success and Failure 3
5 System Audit User Account Management {0cce9235-69ae-11d9-bed3-505054503030} Success and Failure 3
6 System Audit DPAPI Activity {0cce922d-69ae-11d9-bed3-505054503030} Success and Failure 3
7 System Audit PNP Activity {0cce9248-69ae-11d9-bed3-505054503030} Success and Failure 3
8 System Audit Process Creation {0cce922b-69ae-11d9-bed3-505054503030} Success and Failure 3
9 System Audit Process Termination {0cce922c-69ae-11d9-bed3-505054503030} Success and Failure 3
10 System Audit Account Lockout {0cce9217-69ae-11d9-bed3-505054503030} Success and Failure 3
11 System Audit User / Device Claims {0cce9247-69ae-11d9-bed3-505054503030} Success and Failure 3
12 System Audit Group Membership {0cce9249-69ae-11d9-bed3-505054503030} Success and Failure 3
13 System Audit Logoff {0cce9216-69ae-11d9-bed3-505054503030} Success and Failure 3
14 System Audit Logon {0cce9215-69ae-11d9-bed3-505054503030} Success and Failure 3
15 System Audit Other Logon/Logoff Events {0cce921c-69ae-11d9-bed3-505054503030} Success and Failure 3
16 System Audit Special Logon {0cce921b-69ae-11d9-bed3-505054503030} Success and Failure 3
17 System Audit Detailed File Share {0cce9244-69ae-11d9-bed3-505054503030} Success and Failure 3
18 System Audit File Share {0cce9224-69ae-11d9-bed3-505054503030} Success and Failure 3
19 System Audit File System {0cce921d-69ae-11d9-bed3-505054503030} Success and Failure 3
20 System Audit Filtering Platform Connection {0cce9226-69ae-11d9-bed3-505054503030} Failure 2
21 System Audit Other Object Access Events {0cce9227-69ae-11d9-bed3-505054503030} Success and Failure 3
22 System Audit Registry {0cce921e-69ae-11d9-bed3-505054503030} Success and Failure 3
23 System Audit Removable Storage {0cce9245-69ae-11d9-bed3-505054503030} Success and Failure 3
24 System Audit Audit Policy Change {0cce922f-69ae-11d9-bed3-505054503030} Success and Failure 3
25 System Audit Authentication Policy Change {0cce9230-69ae-11d9-bed3-505054503030} Success and Failure 3
26 System Audit MPSSVC Rule-Level Policy Change {0cce9232-69ae-11d9-bed3-505054503030} Success and Failure 3
27 System Audit Other Policy Change Events {0cce9234-69ae-11d9-bed3-505054503030} Success and Failure 3
28 System Audit Non Sensitive Privilege Use {0cce9229-69ae-11d9-bed3-505054503030} Failure 2
29 System Audit Sensitive Privilege Use {0cce9228-69ae-11d9-bed3-505054503030} Success and Failure 3
30 System Audit Other System Events {0cce9214-69ae-11d9-bed3-505054503030} Success and Failure 3
31 System Audit Security State Change {0cce9210-69ae-11d9-bed3-505054503030} Success and Failure 3
32 System Audit Security System Extension {0cce9211-69ae-11d9-bed3-505054503030} Success and Failure 3
33 System Audit System Integrity {0cce9212-69ae-11d9-bed3-505054503030} Success and Failure 3
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/registry.pol
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/bkupInfo.xml
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/gpreport.xml
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/manifest.xml
+1
View File
@@ -0,0 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/Backup.xml
+20
View File
@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1245203]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
+3
View File
@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" bypassErrors="1" changed="2017-03-28 18:23:06" uid="{C6860994-A627-43A9-A8E9-433B483C697C}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry>
</RegistrySettings>
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/comment.cmtx
+12
View File
@@ -0,0 +1,12 @@
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
+33
View File
@@ -0,0 +1,33 @@
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
1 Machine Name Policy Target Subcategory Subcategory GUID Inclusion Setting Exclusion Setting Setting Value
2 System Audit Credential Validation {0cce923f-69ae-11d9-bed3-505054503030} Success and Failure 3
3 System Audit Other Account Logon Events {0cce9241-69ae-11d9-bed3-505054503030} Success and Failure 3
4 System Audit Security Group Management {0cce9237-69ae-11d9-bed3-505054503030} Success and Failure 3
5 System Audit User Account Management {0cce9235-69ae-11d9-bed3-505054503030} Success and Failure 3
6 System Audit DPAPI Activity {0cce922d-69ae-11d9-bed3-505054503030} Success and Failure 3
7 System Audit PNP Activity {0cce9248-69ae-11d9-bed3-505054503030} Success and Failure 3
8 System Audit Process Creation {0cce922b-69ae-11d9-bed3-505054503030} Success and Failure 3
9 System Audit Process Termination {0cce922c-69ae-11d9-bed3-505054503030} Success and Failure 3
10 System Audit Account Lockout {0cce9217-69ae-11d9-bed3-505054503030} Success and Failure 3
11 System Audit User / Device Claims {0cce9247-69ae-11d9-bed3-505054503030} Success and Failure 3
12 System Audit Group Membership {0cce9249-69ae-11d9-bed3-505054503030} Success and Failure 3
13 System Audit Logoff {0cce9216-69ae-11d9-bed3-505054503030} Success and Failure 3
14 System Audit Logon {0cce9215-69ae-11d9-bed3-505054503030} Success and Failure 3
15 System Audit Other Logon/Logoff Events {0cce921c-69ae-11d9-bed3-505054503030} Success and Failure 3
16 System Audit Special Logon {0cce921b-69ae-11d9-bed3-505054503030} Success and Failure 3
17 System Audit Detailed File Share {0cce9244-69ae-11d9-bed3-505054503030} Success and Failure 3
18 System Audit File Share {0cce9224-69ae-11d9-bed3-505054503030} Success and Failure 3
19 System Audit File System {0cce921d-69ae-11d9-bed3-505054503030} Success and Failure 3
20 System Audit Filtering Platform Connection {0cce9226-69ae-11d9-bed3-505054503030} Failure 2
21 System Audit Other Object Access Events {0cce9227-69ae-11d9-bed3-505054503030} Success and Failure 3
22 System Audit Registry {0cce921e-69ae-11d9-bed3-505054503030} Success and Failure 3
23 System Audit Removable Storage {0cce9245-69ae-11d9-bed3-505054503030} Success and Failure 3
24 System Audit Audit Policy Change {0cce922f-69ae-11d9-bed3-505054503030} Success and Failure 3
25 System Audit Authentication Policy Change {0cce9230-69ae-11d9-bed3-505054503030} Success and Failure 3
26 System Audit MPSSVC Rule-Level Policy Change {0cce9232-69ae-11d9-bed3-505054503030} Success and Failure 3
27 System Audit Other Policy Change Events {0cce9234-69ae-11d9-bed3-505054503030} Success and Failure 3
28 System Audit Non Sensitive Privilege Use {0cce9229-69ae-11d9-bed3-505054503030} Failure 2
29 System Audit Sensitive Privilege Use {0cce9228-69ae-11d9-bed3-505054503030} Success and Failure 3
30 System Audit Other System Events {0cce9214-69ae-11d9-bed3-505054503030} Success and Failure 3
31 System Audit Security State Change {0cce9210-69ae-11d9-bed3-505054503030} Success and Failure 3
32 System Audit Security System Extension {0cce9211-69ae-11d9-bed3-505054503030} Success and Failure 3
33 System Audit System Integrity {0cce9212-69ae-11d9-bed3-505054503030} Success and Failure 3
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/registry.pol
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/bkupInfo.xml
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/gpreport.xml
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/powershell_logging/manifest.xml
Executable
+1
View File
@@ -0,0 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst></Backups>
Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/Backup.xml
Executable
+18
View File
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Powershell Logging]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/comment.cmtx
Executable
+12
View File
@@ -0,0 +1,12 @@
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.PowerShell"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/registry.pol
Executable
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/bkupInfo.xml
Executable
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/gpreport.xml
Executable
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Default Domain Policy.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Domain Controllers Enhanced Auditing Policy.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Powershell Logging.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Servers Enhanced Auditing Policy.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Windows Event Forwarding Server.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/reports/Workstations Enhanced Auditing Policy.htm
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/wef_configuration/manifest.xml
+1
View File
@@ -0,0 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst></Backups>
Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml
+18
View File
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Custom Event Channel Permissions]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[131074]]></UserVersionNumber><MachineVersionNumber><![CDATA[1572888]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
+7
View File
@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 01:25:45" uid="{CA8FB1DB-B0A8-427A-A00D-08C1D499DC32}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:26:23" uid="{837364B6-ECD8-46E8-9FF1-35C7B0D9F5FF}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBClient/Operational" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:27:30" uid="{43ADFF5A-9412-44C6-8476-839EC6602558}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:29:26" uid="{8D55AF86-069E-4A22-A9F9-AD8DCC1711C9}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\DNS Server" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:54:47" uid="{59ECA0A8-307C-4B14-9D55-BB118CC1B9D4}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\Security" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
</RegistrySettings>
Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/Backup.xml
+18
View File
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
<GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Windows Event Forwarding Server]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Adm\*.*"/>
</GroupPolicyExtension>
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
</GroupPolicyBackupScheme>
Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/comment.cmtx
+12
View File
@@ -0,0 +1,12 @@
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.EventForwarding"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/registry.pol
BIN
View File
Binary file not shown.
Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/bkupInfo.xml
+1
View File
@@ -0,0 +1 @@
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst>
Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/gpreport.xml
BIN
View File
Binary file not shown.