Restricted security groups? Now locked out of admin group, account was removed automatically. about windows-optimize-harden-debloat HOT 7 CLOSED

Message that will be displayed on users' first issue

from windows-optimize-harden-debloat.

@dohabandit
That's odd for sure. We just attempted to recreate the issue on windows 11 pro. However, we only test with all configurations on.
There is nothing in this script that should present that way. We appreciate you taking the time to investigate and troubleshoot on your own prior to opening an issue.
Can you tell us what install method you used? And with what launch parameters, if relevant.

You also mention the stig script. Did you mean to open an issue on there? Or are you referring to this repo? Please clarify.

from windows-optimize-harden-debloat.

I did a clean install of Windows 11 Pro on my laptop (MSI Stealth 17) as it came with home version and extra bloat related items. The OS was activated, but I was having issues with getting my Office 2019 key to activate. The office installer kept wanting me to use an online MS account, online account blocked by the STIG script, and there were activation errors in the windows event logs. I applied the STIG script using the UI installer (.exe). I didn't check all of the SoS options (I think I left bitlocker unchecked). Unfortunately I didn't save the log output in the installer window, but I did notice some errors.

I made an image of that OS, and reloaded it using same process. I can extract any files from that image if you need them. I applied your STIG/hardening script again, this time I allowed all items to be checked. I also saved the output window text to a log file. There are only a few errors listed at the very end which appear to be when gpupdate was run. I believe these were the same errors.

The following warnings were encountered during computer policy processing:
Windows failed to apply the Group Policy Scheduled Tasks settings. Group Policy Scheduled Tasks settings might have its own log file. Please click on the "More information" link.

The following warnings were encountered during user policy processing:
Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link.

Even after reboots, I am seeing these errors in windows event log:
The client-side extension could not apply computer policy settings for 'Local Group Policy' because it failed with error code '0x80070003 The system cannot find the path specified.' See trace file for more details.
The client-side extension could not apply user policy settings for 'Local Group Policy' because it failed with error code '0x80070003 The system cannot find the path specified.' See trace file for more details.

from windows-optimize-harden-debloat.

@dohabandit

With regards to those group policy errors those are expected. It's an issue with applying some configurations that can't be applied locally. We're working on a fix for it. But for now the errors there mean nothing. You can safely ignore those for now.

You can google the configurations for the restricting online microsoft accounts.
Then follow these instructions. https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat#editing-policies-in-local-group-policy-after-the-fact

Besides that can you clarify what issues you're having specifically.

from windows-optimize-harden-debloat.

The only issue was the local admin account that I created was somehow removed from the administrators group. The original administrator account was renamed to X_Admin, disabled, but remained in the admin group as expected. There was an online MS account that was in the group, but that account was also disabled as expected. I have a good understanding of local security policies, domain policies, etc. I have designed and operated AD forests that support more than 150k users.

The local admin account was working after the STIG script was applied, and several reboots had occurred post STIG process. It just suddenly dropped out of the local admins group. 100% positive that I didn't accidentally remove it.

from windows-optimize-harden-debloat.

There are no configurations in the script that remove users from groups. At most they would remain in the groups but be disabled.

from windows-optimize-harden-debloat.

Closing due to no update

from windows-optimize-harden-debloat.