shufler's questions

I have set up a lab with a number of Windows Server 2012 R2 machines. The lab has an Active Directory domain (DFL: Windows Server 2012 R2, FFL: Windows Server 2012 R2) and these machines are joined to the domain.

By default if left unattended these Windows machines will automatically lock. I do not want the machines to lock automatically. I do not have any security concerns with having the machines remain unlocked as this is an isolated lab.

I have created a group policy object that sets a number of configurations and the machines still lock. I have verified that the GPO has been applied to the machines.

The GPO configures the following settings:

• Computer Configuration\Policies\Windows Settings\Local Policies/Security Options\Microsoft Network Server\Microsoft network server: Amount of idle time required before suspending session: 0 minutes
• User Configuration\Policies\Administrative Templates\Control Panel/Personalization\Enable screen saver: Disabled
• User Configuration\Policies\Administrative Templates\Control Panel/Personalization\Password protect the screen saver: Disabled
• User Configuration\Policies\Administrative Templates\Control Panel/Personalization\Screen saer timeout: 0 seconds
• User Configuration\Policies\Administrative Templates\System/Power Management\Prompt for password on resume from hibernate/suspend: Disabled

I've done a few hours of research and I've yet to find anything that has worked. Is there is another setting that controls this behavior?

Edit: output from gpresult /v:

C:\Windows\system32>gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2013 Microsoft Corporation. All rights reserved.

Created on 9/24/2014 at 9:44:02 AM


RSOP data for CONTOSO\user01 on SERVER01 : Logging Mode
----------------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.3.9600
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\user01
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SERVER01,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
    Last time Group Policy was applied: 9/24/2014 at 9:03:08 AM
    Group Policy was applied from:      DC01.CONTOSO.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Don't lock workstation
        Password Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SERVER01$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Password Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

            GPO: Password Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Password Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Password Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Password Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Don't lock workstation
                Policy:            @wsecedit.dll,-59042
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
                Computer Setting:  -1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                Computer Setting:  1

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=SharePoint Setup Account,OU=SPSSearch,OU=Projects,DC=CONTOSO,DC=NET
    Last time Group Policy was applied: 9/24/2014 at 9:03:39 AM
    Group Policy was applied from:      DC01.CONTOSO.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Don't lock workstation

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Authentication authority asserted identity
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
                State:       disabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                Value:       48, 0, 0, 0
                State:       Enabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                Value:       48, 0, 0, 0
                State:       Enabled

            GPO: Don't lock workstation
                Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                Value:       48, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

I want to sysprep a Windows Server 2008 R2 SP1 machine that has SQL Server 2008 R2 SP1 installed (for reference, SQL Server 2008 R2 has a new sysprep feature that allows the instance to be sysprepped).

On the server is a SQL Server client alias that points to the default SQL Server database engine instance. For reference, the alias is called Alias-SQLServer and has been configured in both 32-bit and 64-bit cliconfig versions (that is, both registry keys exist)

The alias points to the local instance as the image will be used to create development VMs and the installation script for the application that is being developed will use the SQL Server client alias in order to generalize the installation scripts.

I can't seem to find information about whether the sysprep tool will update the SQL Server client alias's registry keys with the server's new name once it's unsealed. My guess is that it is not; how is sysprep to know that the server name the alias points to will be different for each image? Right?

Perhaps if the alias points to localhost instead of the server name this will work?

My question is similar to Powershell Remoting: One way trust, however there are differences and the resolution (adding the server to the trusted list) does not work for me.

Scenario:
I have two domains. DOMAIN and DOMAINDMZ. DOMAIN has an incoming trust from DOMAINDMZ. That is DOMAINDMZ trusts DOMAIN, but not vice versa.

I have an administrative user DOMAIN\myadmin who is a member of the Administrators local group on several servers in the DOMAINDMZ domain: servera.domaindmz.com, serverb.domaindmz.com, serverc.domaindmz.com, etc. I can log into these servers with DOMAIN\myadmin from the console or RDP.

I am attempting to log into SERVERA and run a PowerShell script on SERVERB using PowerShell remoting. Remote Management is enabled on SERVERB. I start an elevated PowerShell session on SERVERA, and then attempt to use the Invoke-Command cmdlet. I receive the following error:

PS C:\Windows\system32> Invoke-Command -ComputerName serverb.domaindmz.com -ScriptBlock {hostname}    
[serverb.domaindmz.com] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken

If I provide a credential object containing a user in the DOMAINDMZ domain, the error goes away and the scriptblock executes as expected:

PS C:\Windows\system32> Invoke-Command -ComputerName serverb.domaindmz.com -Credential DOMAINDMZ\Administrator -ScriptBlock {hostname}
SERVERB

Question:
Given the error I suspect the issue is related to the trust and Kerberos, but I'm not clear what I can do to resolve. Should I be setting an SPN for DOMAIN\myadmin or SERVERB? Is there something else I can try?