When running a comparison report between a Repository GPO and the same GPO in AD, the Local Policies (NETIQKB48792)

fact
NetIQ Group Policy Administrator 4.6

fact
Hotfixes 46104, 46740, 47214, and 48054 have been applied.

symptom
When running a comparison report between a Repository GPO and the same GPO in AD, the Local Policies / User Rights Assignment area displays no data.

symptom
GPO comparison does not show Security Options and User Rights Assignment information.

cause
This error occurs when the capitalization of User Rights Assignment section in a custom .inf file does not match the capitalization of these same items in the OS Config files. This is because the name check GPA performs is case-sensitive for this portion of a GPO in comparison and difference reports.   The following is an example of an incorrect User Rights Assignment section:

[Privilege Rights]
sedenybatchlogonright = *S-1-5-32-546
sedenynetworklogonright = *S-1-5-7,*S-1-5-32-546
sedenyremoteinteractivelogonright = *S-1-5-32-546
seinteractivelogonright = *S-1-5-32-544
seloaddriverprivilege = *S-1-5-32-544
semachineaccountprivilege = *S-1-5-32-544
seremoteinteractivelogonright = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544
seshutdownprivilege = *S-1-5-32-549,*S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544

the correct method is to capitalize the text to match the capitalization for these same items in the OSConfig files:

[Privilege Rights]
SeDenyBatchLogonRight = *S-1-5-32-546
SeDenyNetworkLogonRight = *S-1-5-7,*S-1-5-32-546
SeDenyRemoteInteractiveLogonRight = *S-1-5-32-546
SeInteractiveLogonRight = *S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-544

fix

This issue is addressed in NetIQ Group Policy Administrator version 4.6 Hotfix 48792.

This hotfix addresses an issue where Comparison and Difference reports in Group Policy Administrator (GPA) may not display Security Options and User Rights Assignment information under Computer Configuration\Windows Settings\Security Settings\Local Policy Settings when these items have been imported into a GPO through a custom .inf file. This occurs when the case of the Security Options registry paths and User Rights Assignment names do not match the case of these same items in the OS Config files. This hotfix corrects the case-sensitivity so the Comparison and Difference reports include the Security Options and User Rights Assignment information.

To install this hotfix, perform the following steps on each computer where you installed the GPA Console:

1. Close all GPA user interfaces1.
2. Run the GPG46000_Hotfix48792.exe file.

This hotfix modifies the following files:

• \Bin\XML\GpoCompare\faRptFuncDiff.xsl
• \Bin\XML\GpoCompare\faGpoCompareMachSecurity.xsl

By default, these files are located in the Program Files\NetIQ\Group Policy Administrator 4.6 folder.

For more information, contact Technical Support at www.netiq.com/support.

fix
If you do not want to apply the hotfix, there is a work-around solution. Change the Privilege Rights names in your custom .inf files as indicated above.  Do not just re-import the .inf if it is already imported.  You need to manually undefine all the settings or delete the settings from the GPO's GptTmpl.inf file.  Reimporting does not change the capitalization in the GptTmpl.inf file.

note

The registry key path check for the Compare\Diff reports is case sensitive.  So the work-around is to change a line similar to the following:

machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1

to match the OSConfig file entry:

MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1

Formerly known as NETIQKB48792