Finding GPO policy which set's LocalAccountTokenFilterPolicy to 0 on startup

Question

I've got a Windows Server 2019 with Windows Server 2019 Security Baseline settings applied to it. Then I enable WinRM on the server and set the registry key HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1. After that WinRM works as expected.

However, after reboot the LocalAccountTokenFilterPolicy is set back to 0. This only happens with the Security Baseline settings applied to it, not on a default Windows 2019 installation.

I traced boot process with Sysinternal's Procmon.exe and I see how the 'Group Policy Client' does set the LocalAccountTokenFilterPolicy back to 0 on the server reboot.

How do I find out which group policy setting does change the registry setting. I can't find which group policy does influence that registry key.

`gpresult` and `resop `should be able to help you out but it is a process of elimination. — Drifter104, Jul 05 '19 at 14:29

score 1 · Answer 1 · answered Jun 22 '21 at 19:25

1

In order for me to find the policy, I had to run MMC and add-in the Group Policy Object Editor even though my server was off domain

answered Jun 22 '21 at 19:25

Tim Kehoe

11
1

Which policy was that? – Arete Oct 10 '21 at 15:33

score 1 · Answer 2 · answered Jan 06 '20 at 12:24

Had the same issue. There's a policy called "Apply UAC restrictions to local accounts on network logons" which is set to Enabled. This is under the MS Security Guide template. You may need to add this template (SecGuide.adml and .admx) to c:\windows\policydefinitions from the Templates folder in the Baseline download before you can see it in local group policy

Finding GPO policy which set's LocalAccountTokenFilterPolicy to 0 on startup

2 Answers2