Group Policies on Server 2019

[big-nath]

I seem to be having an issue when running the script on Server 2019. It seems to stop Group policy management from working correctly. When I try to create a GPO after running this script it, I get a access denied error.

I have removed the Passive screens monitoring the sysvol folder and then the GPO creation works again.

I only seem to have this issue with 2019. Has anyone else experienced this issue?

[snagrat]

Did you find a solution for this as I am also getting the error

[TDMPro2K]

I have had this too!
did the script about 3 weeks ago and couldn't figure out what was causing it...
I also remove it and rebooted and started working again #Daywasted

[davidande]

I had the same Issue on 2019 servers.
I included this code to delete passive screens:

$delpassiveshares= Get-FsrmFileScreen | Select Active, Path, Template | Where-Object { ($_.active -like 'False') -and ($_.Template -like "$fileTemplateName")} | Select -ExpandProperty Path
foreach ($Path in $delpassiveshares) {
Remove-FsrmFileScreen $Path -Confirm:$False
Write-Host FSRM Deleting Passive Protection Share::: $path

I have to go further in the tests because i still have GPO problem (cannot create one)
did someone fix this problem?

[xicanoink]

Yeah, we used this script on all our new 2019 deployments and it does kill GPO Management. You can't edit or create new group policies. We even created a ticket with microsoft, but they were like "Nah, it's your script." But we have this working everywhere else 2016 and below, what did you change?! we said.
No reasonable answer, we fixed your issue, uninstalled FSRM role, reboot, install FSRM without your script, it all works, goodbye!
So, something in the passive screens of the Sysvol is causing this. I don't know if anybody has tried to remove that section and see if FSRM script and GPOMC can co-exist.
We will attempt to do some testing, but such a pain and so many reboots, ugh.

[davidande]

maybe an issue should be select only shares with type 0. Not 0 and 2147483648 as it is actually.

$drivesContainingShares = Get-WmiObject Win32_Share | Select Name,Path,Type | Where-Object { $_.Type -match '0|2147483648' } | Select -ExpandProperty Path | Select -Unique

no time to check now if someone could ...thanks :-)

[xicanoink]

We did more testing just on 2019 servers, Standard and Essential. It has nothing to do with the CryptoBlocker script at all. Something is broken in 2019 when Passive screens are applied to the same volume where SYSVOL sits on.
We installed fresh 2019 DC and fresh FRSM. Everything works great.
As soon as you turn on the included default Passive screen for "System Files and Executables" on the C: Drive which has SYSVOL, GPO Management stops working.
You have to remove the Passive screen and reboot.
Or completely remove FSRM and reboot.
So, yeah for right now have to find a way to make the script not put any screens on the drive that has SYSVOL.

[freezscholte]

@xicanoink @davidande @snagrat @big-nath I replaced the code with this in the protect list part (we dont use this so i delted it) What is does it checks witch OS version you are running and based on that it enumerates shares with or with the C drive. So if the server OS version is 2019 then it will enumerates shares on every drive except the C drive. If it is 2016 or lower it will enumerate shares on all drives.

Check OS Version for specific Enumeration of OS shares

$OSVersion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName

If($OSVersion -like "Windows Server 2019*")
{
Write-Host "Server 2019 Installation Found, Exclude Filescreens C:*"
Write-EventLog "Freezit Eventlogs" -Source Cryptoblocker -eventID 1002 -EntryType Information -Message "Windows Server 2019 Detected And Script Executed"
$drivesContainingShares = @(Get-WmiObject Win32_Share |
Select Name,Path,Type |
Where-Object { ($.Type -match '0|2147483648') -and ($.Path -notlike 'C:*') } |
Select -ExpandProperty Path |
Select -Unique)
}
Elseif($OSVersion -notlike "Windows Server 2019*")
{
Write-Host "Server 2016 Or Lower Installation Found, Include Filescreens C:*"
Write-EventLog "Freezit Eventlogs" -Source Cryptoblocker -eventID 1001 -EntryType Information -Message "Windows Server 2016 Detected And Script Executed"
$drivesContainingShares = @(Get-WmiObject Win32_Share |
Select Name,Path,Type |
Where-Object { $_.Type -match '0|2147483648' } |
Select -ExpandProperty Path |
Select -Unique)
}

Else {
Write-Host "OS Version Not Reconized"
Write-EventLog "Freezit Eventlogs" -Source Cryptoblocker -eventID 2000 -EntryType Warning -Message "Script error,OS version not reconized. Script not working propably, run script manually and lookup errors."
exit
}

[davidande]

FRSM role now makes no errors in GPO. no incompatibility anymore.