Introduction

This document outlines the system requirements and prerequisites for installing GPO Validation Agent and AD GPO Assessment Sensor.

AD Domain Agent for GPO Validation

The GPO Validation module within Remedio is designed to identify and remediate gaps in the implementation of Group Policy Objects (GPOs). It addresses issues such as:

1. Failures in applying Group Policy Preferences (GPPs)

2. Mismatched or inconsistent settings

3. Presence of local GPOs

4. Orphaned GPO instances

5. Discrepancies between intended and applied configurations

AD GPO Assessment (dsRequester) Sensor

The dsRequester is responsible for securely retrieving security and maintenance data from:

Active Directory (AD):

• Security: Identifies risky configurations such as weak delegation, unrestricted group memberships, and misconfigured ACLs.

• Maintenance: Gathers operational data including replication health, domain controller aging, and AD cleanup requirements.

Group Policy (GPO):

• Security: Detects unsecure GPO settings, inconsistent permission configurations, and exposure to privilege escalation.

• Maintenance: Flags orphaned GPOs, unused links, and inconsistencies between AD-stored and SYSVOL-stored policy definitions.

These components work together to provide deep visibility into GPO application and configuration integrity across the environment.

Checklist

Ensure that the following Remedio requirements are satisfied before initiating the installation of the Remedio Domain Sensors:

• Server sizing and OS – Verify compatibility with the Remedio Domain Sensors Server.

• Users and Groups – Validate configurations in Active Directory and the Remedio GPO Validator for seamless integration.

• Ports – Confirm that the required ports are open on both the server and sensor sides to facilitate proper communication.

• Antivirus – Take precautions to prevent any interference from antivirus software that could impede the Remedio Domain Sensors correct execution.

Server Sizing

A dedicated server is not mandatory; any existing domain-joined server can be utilized (and an installation on a Domain Controller isn’t necessary).

However, ensure that the selected server possesses a minimum of 4 cores and 8GB RAM for optimal performance.

Remedio Domain Sensors are installed once per domain. A single domain-joined server will run the tasks in each domain you wish to monitor.

OS

The Remedio Validator software is compatible with Windows Server 2016 Standard and later versions.

• Windows Server language settings:

  • The Windows Server operating system must be set to use the English (United States) language.

  • The Windows Server language for non-Unicode programs must be set to use the English (United States) language.

Users and Groups

Create a domain user within your Active Directory and allocate the specified permissions as outlined in the table. Feel free to adopt your preferred naming convention; the names in the table are merely suggestions.

Ensure that the passwords for Remedio users exclude the characters ‘ “ ~ ; or spaces.

Permissions

Refer to the table to configure the permissions for both the user and the group (consult the hyperlinks for detailed instructions):

Ports

Antivirus / EDR

If whitelisting is required, ensure that the following paths and their subfolders and files are included:

1. C:\Program Files\Gytpol (subfolders and files)

2. C:\Program Files\WindowsPowershell\modules\gytpolServer (subfolders and files)
   
   

Detailed Configuration Instructions

How to Verify PowerShell Version and Review Restriction Mode

Navigate to the Remedio Domain Sensors Server, select the "Start" menu, and enter "PowerShell" in the search bar. Subsequently, click on "Windows PowerShell" from the search results.

Within the Windows PowerShell window, input the following command: $PSVersionTable.PSVersion

1. Ensure that the Major version is set to 5 or above, and the Minor version is set to 1 or above by checking the output of the $PSVersionTable.PSVersion command.

Open

2. In the same PowerShell window, enter the following command: Get-ExecutionPolicy -List. Confirm that the PowerShell scripts are not set to "Restricted" in any of its categories. The desired results include "RemoteSigned", "AllSigned", or "Undefined" for the execution policies.

Open

Include the Remedio user in the Domain group "Performance Log Users"

1. On a computer with RSAT (Remote Server Administration Tools), open a command prompt (cmd).

2. Launch Active Directory Users and Computers by entering dsa.msc and pressing ENTER.

3. Search for the "Performance Log Users" group within Active Directory.

4. Double-click on the group, navigate to Members, click on Add, input the name of the Remedio user created earlier, and press OK.

5. Confirm the changes by clicking OK in the group properties window.

Delegate "Generate Resultant Set of Policy (Planning)" Permission

1. Log in to a computer that has Remote Server Administration Tools (RSAT) installed.

2. Open Active Directory Users and Computers:

   • Click the Start menu, search for Active Directory Users and Computers, and open it.

3. In Active Directory Users and Computers:

   • In the left pane, right-click the domain where you want to assign the delegation.

   • Select Delegate Control.

4. In the Delegation of Control Wizard:

   • Click Next on the welcome screen.

5. On the Users or Groups page:

   • Click Add.

   • Enter the name of the Remedio user.

   • Click Check Names to validate.

   • Click OK, then Next.

6. On the Tasks to Delegate page:

   • Select Delegate the following common tasks.

   • Check Generate Resultant Set of Policy (Planning).

   • Click Next.

7. Click Finish to complete the wizard.

Open

Adding a local admin

1. Log in to the Remedio Domain Sensors Server with an existing administrator account.

2. Open Computer Management:

   • Press Windows Key + X, then select Computer Management,
     or

   • Press Windows Key + R, type compmgmt.msc, and press Enter.

3. In Computer Management, expand:

   • System Tools → Local Users and Groups → Groups.

4. Click on the Administrators group.

5. In the Administrators Properties window, click Add.

6. In the Enter the object names to select box:

   • Type GYTPOSVC.

   • Click Check Names to validate.

   • If the name resolves correctly, click OK.

7. Click Apply and then OK to save changes.

8. Close Computer Management.

“Log on as a batch job” and “Log on as a service” rights

1. Log in to the Remedio Domain Sensors Server with an administrator account.

2. Open Local Security Policy Editor:

   • Press Windows Key + R, type secpol.msc, and press Enter.

3. In the Local Security Policy Editor, navigate to:
   Local Policies → User Rights Assignment.

4. Find and double-click Log on as a batch job.

5. In the properties window, click Add User or Group.

6. In the Enter the object names to select box:

   • Type GYTPOSVC.

   • Click Check Names to validate.

   • Click OK.

7. Click Apply and then OK to save changes.

8. Follow the same steps for Log on as a service.

9. Close Local Security Policy.

Network access: Do not allow storage of passwords and credentials for network authentication

1. Log in to the Remedio Domain Sensors Server with an administrator account.

2. Open Local Group Policy Editor:

3. Press Windows Key + R, type gpedit.msc, and press Enter.

4. In the Local Group Policy Editor, navigate to:
   Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.

5. Find and double-click Network access: Do not allow storage of passwords and credentials for network authentication.

6. In the properties window, set the option to Disabled.

7. Click OK to apply the change.

If there is a Group Policy with the specified restriction, exclude the Remedio server from this setting:

1. Identify the Group Policy containing the "Network access: Do not allow storage of passwords and credentials for network authentication" restriction.

2. Exclude the Remedio Domain Sensors Server from this restriction within the Group Policy settings.

To verify the setting, execute the following command in PowerShell as an Administrator. The expected output should be 0:

(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop).disabledomaincreds

This PowerShell command retrieves and displays the value of the "disableDomainCreds" registry key under the specified path. If the output is 0, it confirms that the setting is disabled.

Open

Windows Features installation

Launch Server Manager on the Remedio Domain Sensors Server and follow these steps:

1. Navigate to "Add Roles and Features."

2. Click "Next" until you reach the "Features" tab.

3. Check the following Features:

   • Group Policy Management

   • Remote Server Administration Tools

     • Role Administration Tools

       • Active Directory module for PowerShell

       • AD DS Tools

       • AD LDS Snap-Ins and Command-Line Tools

Ensure that the specified features are selected for installation.

Open

Open

Proceed by clicking "Next" and then "Install." Wait patiently until the installation process concludes.

Automatic pre-checker tool

Download the automatic pre-checker tool from the https://gytpol.com/dschecker and transfer it to the Remedio Domain Sensors Server.

Next, right-click on the downloaded tool and choose "Run as Administrator" to launch the DS Checker tool.

Enter the Remedio user, i.e., DOMAIN\RemedioSvc, and click "Check" to initiate the validation process.

Open

Allow the checks to run for approximately 1 minute. The checklist encompasses internal ports, DC communication ports, user permissions, and other essential features to ensure correct configurations.

Wait patiently for the results to be displayed.

Open

Pay attention to the results:

• Red X sign (error): Indicates a critical error that requires resolution before proceeding with the installation. Hover over the question mark (?) for guidance on the necessary actions.

• Yellow Exclamation mark (warning): Represents a failed check that is not critical for immediate resolution. However, consider addressing warnings for optimal performance.

• Defender icon: Denotes a successful check, confirming that the specific aspect has passed verification.

Review the results carefully, addressing any red X errors promptly, and considering improvements for yellow exclamation warnings. The presence of the Defender icon signifies successful checks.

Once all issues are addressed and resolved, click on "Export results" within the DS Checker tool. Proceed to email the generated log to the assigned Remedio engineer for further review and confirmation.

Click Exit once done.

Please restart the server before the installation.

Here’s a video that demonstrates the Checker running its tests during the check process.

If you cannot see the results screen at the end or if the Checker is "killed" during execution, please ensure there are no EDR restrictions or other interferences affecting the Checker’s flow.

Open

dsRequester installation / update

1. You can download the dsRequester MSI file from the Remedio console by navigating to Settings in the left-hand menu, then selecting System Health. In the Latest Sensor Versions section, you'll find the dsRequester download link (AD GPO Assessor).

Open

2. Place the downloaded MSI file on the server.

3. Open an elevated Command Prompt:

   • Right-click on CMD.

   • Select "Run as Administrator."

Open

Once the elevated Command Prompt is open:

1. Navigate to the location of the MSI file you want to install.

2. Hold down the left Shift key.

3. Right-click on the MSI file.

4. Click on "Copy as Path".

Open

In the elevated Command Prompt window:

1. Right-click to paste the path of the MSI file that you copied as instructed.

2. Press Enter.

This command executes the installation or update process for the dsRequester using the provided MSI file.

Open

Throughout the installation process, you will be prompted to input the credentials for the Remedio account created during the setup process, as explained earlier.

Upon completion, the progress window will close automatically.

To confirm a successful installation, follow these steps:

1. Open Task Scheduler.

2. Navigate to the Task Scheduler Library.

3. Look for tasks related to gytpolServer in the Task Scheduler Library.

The presence of gytpolServer tasks in the Task Scheduler Library indicates a successful installation.

Open

GPO Validation Agent installation / update

Before You Begin Installation

Before starting the installation, please ensure you have the following information:

1. Your Access Key and Secret Key

2. Tenant Name – This is the short name found in your Remedio UI URL, excluding the domain.
   For example, in https://demo-tenant.us.cloud.gytpol.com, the tenant name is demo-tenant.

3. The correct region (Europe or US)

Where to Find This Information

For SaaS

If you do not already have these values, you can retrieve them from any device with a Remedio Sensor installed.

1. Open the following file on the device:

   C:\Program Files\WindowsPowerShell\Modules\gytpol\Config\predefined.json

2. Inside the file, look for the cloudCfg line. It will look similar to this example:

   "cloudCfg": "{\"ReportsBucket\":{\"scanner-report\":\"gytpol-demo-tenant-analyzer-reports\",\"remediation-report\":\"gytpol-demo-tenant-analyzer-reports\",\"log-report\":\"gytpol-demo-tenant-analyzer-reports\"},\"Region\":\"eu-central-1\",\"AccessKeyID\":\"BjJ+29xx4ueTM=\",\"SecretAccessKey\":\"FDR2CQkAWXyhiRw==\"}"

3. From this line, extract the following details:

• AccessKeyID: value after "AccessKeyID": (typically ends with =).

• SecretAccessKey: value after "SecretAccessKey": (typically ends with ==).

• Tenant name: taken from the Reports bucket. It is the part between gytpol- and -analyzer.

  • Example: for gytpol-demo-tenant-analyzer-reports, the tenant name is demo-tenant.

• Region: value after "Region": (e.g., eu-central-1).

Example values:

• AccessKeyID: BjJ+29xx4ueTM=