From 249ce2ec76d73a3cab17be4d43198b4d91222dcb Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Tue, 3 Dec 2019 22:18:20 -0800
Subject: [PATCH] Updating channel permissions for Microsoft-Windows-Sysmon

---
 Vagrant/Vagrantfile                           |   5 ++---
 .../Custom Event Channel Permissions.htm      | Bin 150094 -> 152480 bytes
 .../Default Domain Controllers Policy.htm     | Bin 144954 -> 144954 bytes
 .../Backup.xml                                |  18 ++++++++++++++++++
 .../Machine/Preferences/Registry/Registry.xml |   1 +
 .../bkupInfo.xml                              |   1 +
 .../gpreport.xml                              | Bin 24866 -> 26270 bytes
 .../Backup.xml                                |  18 ------------------
 .../bkupInfo.xml                              |   1 -
 9 files changed, 22 insertions(+), 22 deletions(-)
 mode change 100644 => 100755 Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm
 mode change 100644 => 100755 Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm
 create mode 100755 Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/Backup.xml
 rename Vagrant/resources/GPO/wef_configuration/{{AE232F63-0190-47EE-BAF9-B78754178376} => {1C916D7C-52F4-4EB4-8EA7-081349532B3C}}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml (84%)
 mode change 100644 => 100755
 create mode 100755 Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/bkupInfo.xml
 rename Vagrant/resources/GPO/wef_configuration/{{AE232F63-0190-47EE-BAF9-B78754178376} => {1C916D7C-52F4-4EB4-8EA7-081349532B3C}}/gpreport.xml (84%)
 mode change 100644 => 100755
 delete mode 100644 Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml
 delete mode 100644 Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml

diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 0a55609..f9c1bdb 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -57,7 +57,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
-    cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
 
     cfg.vm.provider "vmware_desktop" do |v, override|
       v.vmx["displayname"] = "dc.windomain.local"
@@ -92,6 +91,7 @@ Vagrant.configure("2") do |config|
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
@@ -109,7 +109,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false
-    cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
 
     cfg.vm.provider "vmware_desktop" do |v, override|
       v.vmx["displayname"] = "wef.windomain.local"
@@ -145,6 +144,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
     cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
@@ -156,7 +156,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
-    cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
 
     cfg.vm.provider "vmware_desktop" do |v, override|
       v.vmx["displayname"] = "win10.windomain.local"
diff --git a/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm b/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm
old mode 100644
new mode 100755
index 7db032b3234366d3898c22404e87de41cb7b63d0..a192d95788c84e32f0c043247ab7b2d2718079e3
GIT binary patch
delta 357
zcmX>%g>%7j&W0_FeP0y~8H^b88BBoKh{1rtkin8cfx(o)ioqDjwgO_a?d!iX{$x?d
zrp^Sc&KO7<FjxTfIWqW8Uns$(KK;W_MycrnzZsRVYJ(VW0M=}RtgYcU<0C<Hpoj+0
zC>I7z1|1;VeEQAbjKR~7{b5w|GzMB@26Un^(1}Js6}mvSDT5o3uM6~o8-o+jA-X`)
z87Sun7K3=n5XiRxsx=4dHUjFXML2VN*<VH(=Iu6&On2O-KQLx0n%*GFq{VE;pgDcv
zKgQMD6-=3?F-?Cb!8DCKn4yxPm?4)TpCNC1z6w({>ogB0z3CqmnPjG)VP{g9_McH=
Qy21}emhJOAm^Ls106>dR^8f$<

delta 311
zcmZ3mob%ii&W0_FeP0#L8T1*97$BqpgCUTmz+k~(#b5vw1(Vy?e`Wm1q7G4E23C!%
z&WOPTsLqJN45%-F!FT#X9wznaAAT}QO&9phs6?8!hTn{jrl0uDm@@s?A4WA#GX^&X
zQwB$%lgxq6v0%^z(iT8y24tB4<=hxtfh;EmV<2_|vW$RyOQ0H<E>oadXP}pA5sunk
z_LotHdHR~4j6&0A0g0(6n8K!?`pGCUJ%*7<V(TQPJ8shzteAL^hzEZeleT{dWZJ+8
E07>OY7ytkO

diff --git a/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm b/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm
old mode 100644
new mode 100755
index e50193da1a1ea7efb94b9c9fc614bb715dd7a1b5..deb6612b2d3e8f2a511f1c546a04f4e3d435bd59
GIT binary patch
delta 165
zcmdn>hGW+oj)pCalfEh%G8i%FGnfFe5rYAPA%i7@0)r`o6%d<)Nt5lHzcRA2s$)}U
w0#pIg1tN`r`WzX2ryt~GQlCEIH>1>ah2M-yBx&0Y)V7R~(QUi=Uq)t20KH=%$^ZZW

delta 165
zcmdn>hGW+oj)pCalfEjNGw3rIF+fNI216iAfx&{oiopOVYQ<o}V6c7jS4LJ=b%+Wx
zuxey=hCnq|Kz(LFeE|%<(+_eosZXEqn^9`I!f!?;lC*6HYFoz0n6};gFC()h0Lwoi
ABLDyZ

diff --git a/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/Backup.xml b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/Backup.xml
new file mode 100755
index 0000000..91ded0c
--- /dev/null
+++ b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/Backup.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-1432213693-3031993202-888658363-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-1432213693-3031993202-888658363-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-1432213693-3031993202-888658363-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{3869352D-95F3-4FB0-BCDA-40191D897625}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 bd d8 5d 55 72 8b b8 b4 bb d9 f7 34 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 bd d8 5d 55 72 8b b8 b4 bb d9 f7 34 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 bd d8 5d 55 72 8b b8 b4 bb d9 f7 34 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Custom Event Channel Permissions]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1769499]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{3869352D-95F3-4FB0-BCDA-40191D897625}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
old mode 100644
new mode 100755
similarity index 84%
rename from Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
rename to Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
index ad42d31..6430a1f
--- a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
+++ b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
@@ -2,6 +2,7 @@
 <RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 01:25:45" uid="{CA8FB1DB-B0A8-427A-A00D-08C1D499DC32}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
 	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:26:23" uid="{837364B6-ECD8-46E8-9FF1-35C7B0D9F5FF}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBClient/Operational" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
 	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:27:30" uid="{43ADFF5A-9412-44C6-8476-839EC6602558}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
+	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2019-12-04 05:55:03" uid="{F3952650-0492-4492-9BB4-D96379AC1D13}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
 	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:29:26" uid="{8D55AF86-069E-4A22-A9F9-AD8DCC1711C9}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\DNS Server" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry>
 	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:54:47" uid="{59ECA0A8-307C-4B14-9D55-BB118CC1B9D4}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\Security" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry>
 </RegistrySettings>
diff --git a/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/bkupInfo.xml b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/bkupInfo.xml
new file mode 100755
index 0000000..7e8fa51
--- /dev/null
+++ b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/bkupInfo.xml
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{3869352D-95F3-4FB0-BCDA-40191D897625}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{fb2bbf1f-a40e-4090-bf1f-b9abdc11d3a5}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-12-04T05:59:36]]></BackupTime><ID><![CDATA[{1C916D7C-52F4-4EB4-8EA7-081349532B3C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst>
diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml b/Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/gpreport.xml
old mode 100644
new mode 100755
similarity index 84%
rename from Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml
rename to Vagrant/resources/GPO/wef_configuration/{1C916D7C-52F4-4EB4-8EA7-081349532B3C}/gpreport.xml
index 5012f4c3968b85f611f2f3cb8a9d62876abb64b3..6b424f9265a6f9695597b5077ed14abaa2bd4104
GIT binary patch
delta 1076
zcmbtTK}%Fo6#nkaa~v{9Y-nL2NiKBrY~H+i<2)N>9LHd&q+tq~7#poN7A0y56*4;o
zp+y~N*&<pLMF<ykl?}GeRt4?s7xWYAdzT1ATs<!L+;i{w&Uf!UobUCXdi7Op<s)Sm
zIb`9(g@-gsu<3ia#J!CS*CJB%ikM(*+?=K05aV#4<2uajG&9zu7VXz>BOg?+Png3)
zo2eOGH+F=CE=G`&MXP-7D8ggR;~)aA{Itfs<1jukF0UOTGHdS1nJ?T#9v4KlCFOS8
zkBbg(cKL=h5$?Ya+VsfI6Q3i9rpzmY{GbRPEwQo^`yMKPqy2rDe7z9wwn7nnI@uAK
z3{e4A!DcmBIr-JoE4u^hFR}^U>PkfQLC?KTePw7b7V3fB$!{^)KNXJT*}&)UB$vIN
zb~P+^y-M4x-;slvm~M@pNJ^rx+C1EYee9P*eTwtw!wTkc7o+r_8rcN$Nt<p8gcB&h
zH(i$b@A;Hdkvp3b@`(((*{8TBSn-nS*EO<@p;LBBXJu<LuJ<cvloX0DJF0k$Wjw$F
z9!gjFx$IWsdb75wbm7`ZrMIW2l+IV5SSqW3SFS2;)dr)=;qNN6&H6jNbn8t-T8+%<
ZX;LiVKFJ<oj&t5n{%PDeCeoPw@)x{Ivs?fG

delta 862
zcmb_aJ4*vW5T46jE+R=Z$sY)@h$1<Y^)87f5%W@Fp$UZef^e5KYNgnSV5NoD(^#bt
z5nqU~g{2Z~EW}Dd(pp<sYUAuR{(zHZhu!bByTf*#rIW67n{`!^kcJ`{FhfJEVvvAw
zh!YY69m<3VtYBjWn=Jz)ErUF1N`#k4#b6JY<smdJmEX9|Bs^^R2kI1)fJvHZsyc2d
z6@do?o+QMe0|<u{zAJgbME@AUGxBLv#T8Se6Rs7=!Wc^K5VqWJIR+CpnxHcTYtUXi
zAVm&FJA+nn`|2?}M<-2!l7x@pw)*NYVc&D*EP=201r%oyn9)Y?!R$vfyvD1(P03jt
z|M5S`MMiBBEpyObJ{o;d`D1Xy_b+J~?Ox?txT`vRUdFidNID)_HJQ<$>{)GonHvn@
z=jsl28rS$$`$liG&X1RN6+X8(FLARuEK5u{sP?Q2jL1PeZ&h(xRxr~3;0LW!mzTaJ
L%t93wU<!T#yb+O<

diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml
deleted file mode 100644
index dde30db..0000000
--- a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
-    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Custom Event Channel Permissions]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[131074]]></UserVersionNumber><MachineVersionNumber><![CDATA[1572888]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
-        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
-            
-            
-            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Adm\*.*"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/></GroupPolicyExtension></GroupPolicyObject>
-</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml
deleted file mode 100644
index efa3bbc..0000000
--- a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst>