@Super-Sundae : Can you run Sysinternal's RegMon and patch another machine with InTune? That way you can capture the changes.
Perhaps running SysMon at the same time in case it makes changes to file permissions would help..
If you can find out what the policy changes then you should be able to revert on both machines. Hopefully :)
t only applies the setting when linked to the OU of the user
We'll according to that screenshot, it IS a user setting.
Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?
Yes, it's possible.
Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.
I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.
Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.
A quick update for y'all that are watching/participating in this thread (thank you, by the way!).
Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.
Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.
A previous admin created a gpo to alter and add an entry under the hive HKEY_CURRENT_USER in Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range66 which forces a single entry for compatibility mode. I've spent a lot of time testing and, while the setting is to apply once and not again, it doesn't seem to allow a user to add more sites to compatibility mode and keep that addition after a reboot.
Has anyone successfully created a GPO for IE11 to enable CM for users to add items, while also pushing a list of our own? Is there a best method around for achieving this goal?
I have not, I only keep adding it through GPO (In the medical field which they have many sites as this).
Ditto - Just have to keep adding them via GPO. So glad we barely use IE 11 anymore.
@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.
I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.
We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.
Ah. What an ..... effective use of resources.
Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.
@dave247 I have a few ideas about who they are specifically... but after they decided to be a bunch of dicks about anyone here posting links to their site that shall not be named, they created an account here to spy, presumably. Lot of former :hot_pepper: folks here... Lots of :middle_finger: :middle_finger: :middle_finger: :middle_finger: :middle_finger: for their informers.
It's a public site, doesn't take much for someone to inform, lol. It's a bit like tattling on a billboard.
That sounds a lot like calling out your Husband by doing this to his ride.
We use Cisco Any Connect that authenticates against AD, but is not tied to any kind of GPS and it works for us just fine. Except for deployment, I see no need in using GPS.
If we use GPS for anything, it's with RADIUS for our wireless network. That works in one location but not the other. And this is only because both locations have different wireless systems and in how each system implements RADIUS and authenticates a laptop against an OU.