Enabled GPO for registry entries not showing up on server

Question

Preface: I am a Linux admin. I don't really "get" (or like) Windows.

I am in the process of remediating Windows 2016 servers with the CIS recommendations. It is mostly just creating a GPO set according to CIS specs, and applying it to the server(s) in question. I'm using Tenable's Nessus Audit Scanner to check the validity of the settings.

Here is where you can get the CIS spec I am using: https://www.cisecurity.org/benchmark/microsoft_windows_server/

(There isn't a direct download for it but it is free to download.)

Many of the exact details don't matter, so for this question I will focus on one specific example that I should be able to extrapolate to resolve the other problems. Broadly, the problem seems to be that I am trying to apply Registry edits via GPO and I guess I don't understand how to do that. However, the CIS guideline is very specific on the steps to remediate.

So, for example, I'm trying to apply CIS guideline 19.1.3.1, "Ensure 'Enable screen saver' is set to 'Enabled'"

The steps to do this are listed as:

To establish the recommended configuration via GP, set the following UI path to Enabled: User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Enable screen saver

Ok, so, I did that. I know the GPO itself is applied because all the other GPO settings now show up on the server. Also, the Nessus Audit Scan now shows "OK" for most of the items I just applied.

The only items that don't seem to work are items that are Registry settings.

When I examine the Registry, I see the key I'm trying to set to a value isn't even there. For this example, that key is:

HKEY_USERS[USER SID]\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop:ScreenSaveActive

So, how do I get a Registry setting to show up via GPO?

Specifically, how do I make "User Configuration" Registry items show up?

Answer 1

It sounds like you're applying User Configuration settings in a Group Policy Object (GPO) that's linked in a place where it applies only to Computer accounts.

User Configuration will only be applied if the GPO is linked at or above the Organizational Unit (OU) or Container where the User account you're testing with is located. If, for example, the Computer account is located in a "Servers" OU where you've linked your "CIS Recommendations" GPO, but the user account you're logging-on with is located in, say, the default "Users" container, those User Configuration settings in the "CIS Recommendations" GPO wouldn't apply.

I'd recommend reading-up on Group Policy application in general. Understanding how settings are applied based on the location of GPO links and the OUs where Computer and User account objects are located is going to be helpful to you. There are a variety of different resources you might consult. Some ideas include:

• Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object

• Group Policy Basics – Part 2: Understanding Which GPOs to Apply

• Group Policy Basics – Part 3: How Clients Process GPOs

The specific setting you're looking for, if you do want to place User Configuration settings in a GPO linked in a place that would typically apply only to Computer accounts is Loopback Policy Processing. This functionality allows the User Configuration settings in GPOs that apply to the Computer to be either merged with, or out-right replace the User Configuration settings that would normally be applied to a given User account logging-on to that Computer.

I wrote a little about Loopback Policy Processing on this site awhile back, and give a reasonable example in that answer, too.