L0330 Optics: WEC/WEF - Event Channels and Subscriptions
- WEF - Import and Link GPOs
- WEC (Windows Event Collector): Enable Event Collection
- Event Subscriptions
- GPOUpdate, Reboot, and Validate.
WinLogBeat is one of the tools used to ship logs from Windows hosts to a defined data ingestor. Filebeat can be used for Linux, Mac, pfSense, and BSD log shipping. This lab utilizes Logstash for Windows event log ingestion. The Logstash service runs on the lab’s Linux server and listens for inbound data. Logstash then collects, parses, and transforms the log data.
- Complete part 3 of 4 of the Optics Infrastructure
- Verify service operations on the Elastic server
- Configure WinLogBeat to ship logs from the Windows Event Collector (WEC) to Elastic
- Verify logs are flowing to Elastic using the Kibana
Connect to the ELK system using putty and check that the docker containers are running properly. Install and Configure WinLogBeat on the Domain Controller. Verify that the Kibana interface is accessible. On the Windows 10 workstation, attempt to create suspicious logs. Lastly, hunt for the suspicious logs in Kibana
WEF - Import and Link GPOs
Login to Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Group Policy Management Addendum VL0320
The remainder of this lab utilizes PowerShell to administer Group Policies. It is possible to complete the same tasks with the Group Policy MMC Snap-in. For more information, See [Lab Addendum VL0320][VL0320] on using the Group Policy Management Snap-in instead of PowerShell. VL0320 is a walk-through of Lab L0320 using the Group Policy Management MMC Snap in, however the same procedure would be appropriate for this lab and its GPO import and linking. Reviewing the GPO MMC Snap-in VL0320 is optional.
Group Policy Object Creation, Import, and Linking
We will import three previously built Group Policies, and link the Imported Policies into the Domain.
Group Policy Import
Import the Group Policy using the Import-GPO method.
Import-GPO -Path “\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\Windows Event Forwarding” -BackupGpoName "Windows Event Forwarding” -CreateIfNeeded -TargetName "Windows Event Forwarding" -Server DC01
PS C:\labs> Import-GPO -Path “\\dc01\LABS\LabPack\LABPACK-master\Lab-GPOs\Windows Event Forwarding” -BackupGpoName "Windows Event Forwarding” -C
reateIfNeeded -TargetName "Windows Event Forwarding" -Server DC01
DisplayName : Windows Event Forwarding
DomainName : labs.local
Owner : LABS\Domain Admins
Id : 249b6aa0-abb3-4e55-a425-435ed3cde64a
GpoStatus : UserSettingsDisabled
Description :
CreationTime : 9/21/2020 9:02:49 PM
ModificationTime : 9/21/2020 9:02:49 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
Configure Subscription Host URL
The GPO Import included contains a Subscription Host URL that is for a previous domain. Lets check its current configuration and update the Group Policy from PowerShell directly.
Review Subscription Host URL
Using PowerShell's Group Policy Module Get-GPRegistryValue, retrieve the value of the Subscription Manager Registry Key.
Get-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
PS C:\labs> Get-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
KeyPath : SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
FullKeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
Hive : LocalMachine
PolicyState : Set
Value : Server=http://dc01.labs.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
Type : String
ValueName : 1
HasValue : True
Note the "Value" key above.
Update Subscription Host URL
Using PowerShell's Group Policy Module Set-GPRegistryValue, set the value of the SubScription Manager Registry Key to the correct subscription URL for this lab environment
Set-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager -ValueName "1" -Type String -Value "Server=http://dc01.labs.local:5985/wsman/SubscriptionManager/WEC,Refresh=60"
PS C:\labs> Set-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager -ValueName "1" -Type String -Value "Server=http://dc01.labs.local:5985/wsman/SubscriptionManager/WEC,Refresh=60"
DisplayName : Windows Event Forwarding
DomainName : labs.local
Owner : LABS\Domain Admins
Id : 249b6aa0-abb3-4e55-a425-435ed3cde64a
GpoStatus : UserSettingsDisabled
Description :
CreationTime : 9/21/2020 9:02:49 PM
ModificationTime : 9/21/2020 9:04:08 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 2, SysVol Version: 2
WmiFilter :
Confirm Subscription Host URL Updated
Again, using the Get-GPRegistryValue module, confirm the updated subscription host value.
Get-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
PS C:\labs> Get-GPRegistryValue -Name "Windows Event Forwarding" -Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
KeyPath : SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
FullKeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
Hive : LocalMachine
PolicyState : Set
Value : Server=http://dc01.labs.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
Type : String
ValueName : 1
HasValue : True
Note the "Value" key above.
Link Group Policy
Link the imported and updated Group Policy Object with the PowerShell New-GPLink module.
New-GPLink -Name "Windows Event Forwarding” -Target "dc=labs,dc=local" -LinkEnabled Yes
PS C:\labs> New-GPLink -Name "Windows Event Forwarding” -Target "dc=labs,dc=local" -LinkEnabled Yes
GpoId : 249b6aa0-abb3-4e55-a425-435ed3cde64a
DisplayName : Windows Event Forwarding
Enabled : True
Enforced : False
Target : DC=labs,DC=local
Order : 5
Review the Contents of the GPO
Review the contents of the imported, updated, and linked Group Policy Object by using the Get-GPOReport powershell module.
Get-GPOReport -Name "Windows Event Forwarding" -ReportType HTML -Path "c:\Labs\GPOReport-Windows-Event-Forwarding.html"
c:\Labs\GPOReport-Windows-Event-Forwarding.html
WEC (Windows Event Collector): Enable Event Collection
Login to Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Enable Event Collection
Use "wecutil" to enable the Windows Event Collection service on the Domain Controller, DC01. Its worth noting that these are not PowerShell commands, but rather typical Windows Command Link (CMD/DOS) utilities.
wecutil qc /q
PS C:\Users\itadmin> wecutil qc /q
Windows Event Collector service was configured successfully.
PS C:\Users\itadmin>
Import Custom Event Channel Manifest
We now will stop the wecsvc, unload any existing wecutil channel manifests, build our custom manifest, and install the newly built manifest.
Stopping WEC
Use the "Net Stop" command line to stop the WEC service.
net stop wecsvc
PS C:\Users\itadmin> net stop wecsvc
The Windows Event Collector service is stopping.
The Windows Event Collector service was stopped successfully.
Unload Existing Manifests
Using the wevtutil command line utility with the "um" (unload manifest) option, we will unload any existing configured manifest. An error here is expected as there should be no previously configured manifests.
wevtutil um C:\windows\system32\CustomEventChannels.man
PS C:\Users\itadmin> wevtutil um C:\windows\system32\CustomEventChannels.man
C:\windows\system32\CustomEventChannels.man(0): Error 0x800c0006: At column=0, The system cannot locate the object specified.
Copy Palantir Manifest
Its worth noting that the following are PowerShell commands again.
Copy the Palantir Manifest into system32. This will copy two files, the Manifest (.MAN) and the required Dynamic Link Library. We will use the "ls" command to list the source directory. The "cp" command to copy the necessary files, and lastly, the "ls" command again to confirm the files were added to the new location.
ls c:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\windows-event-channels\
cp C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\windows-event-channels\CustomEventChannels.* C:\windows\System32\
ls C:\windows\System32\CustomEventChannels.*
PS C:\Users\itadmin> ls c:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\windows-event-channels\
Directory: C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\windows-event-channels
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/20/2020 8:49 PM 21504 CustomEventChannels.dll
-a---- 9/20/2020 8:49 PM 19673 CustomEventChannels.man
-a---- 9/20/2020 8:49 PM 7001 README.md
PS C:\Users\itadmin> cp C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\windows-event-channels\CustomEventChannels.* C:\windows\System32\
PS C:\Users\itadmin> ls C:\windows\System32\CustomEventChannels.*
Directory: C:\windows\System32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/20/2020 8:49 PM 21504 CustomEventChannels.dll
-a---- 9/20/2020 8:49 PM 19673 CustomEventChannels.man
Import Palantir Manifest
We now will use the wevtutil with the "im" (install manifest) argument to install the manifest into the Collection service.
wevtutil im C:\windows\system32\CustomEventChannels.man
This command will take a seconds/moments to complete. A successful result will not return an error.
Restarting WEC
Use the "Net Start" command line to start the WEC service.
net start wecsvc
PS C:\Users\itadmin> net start wecsvc
The Windows Event Collector service is starting.
The Windows Event Collector service was started successfully.
Confirming the Manifest
Before we can fully validate the function of the imported manifest, we need to finish the Event Forwarding configuration. It is possible however at this point to ensure that the Manifest has been loaded and has created new Event Collection containers for logs to be destined.
Get-WinEvent -ListLog WEC*
PS C:\Users\itadmin> Get-WinEvent -ListLog WEC*
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 1052672 0 WEC-Authentication
Circular 1052672 0 WEC-Code-Integrity
Circular 1052672 0 WEC-EMET
Circular 1052672 0 WEC-PowerShell
Circular 1052672 0 WEC-Process-Execution
Circular 1052672 0 WEC-Services
Circular 1052672 0 WEC-WMI
Circular 1052672 0 WEC16-Test
Circular 1052672 0 WEC2-Application-Crashes
Circular 1052672 0 WEC2-Applocker
Circular 1052672 0 WEC2-Group-Policy-Errors
Circular 1052672 0 WEC2-Object-Manipulation
Circular 1052672 0 WEC2-Registry
Circular 1052672 0 WEC2-Task-Scheduler
Circular 1052672 0 WEC2-Windows-Defender
Circular 1052672 0 WEC3-Account-Management
Circular 1052672 0 WEC3-Drivers
Circular 1052672 0 WEC3-External-Devices
Circular 1052672 0 WEC3-Firewall
Circular 1052672 0 WEC3-Print
Circular 1052672 0 WEC3-Smart-Card
Circular 1052672 0 WEC3-Windows-Diagnostics
Circular 1052672 0 WEC4-Bits-Client
Circular 1052672 0 WEC4-DNS
Circular 1052672 0 WEC4-Hotpatching-Errors
Circular 1052672 0 WEC4-Shares
Circular 1052672 0 WEC4-System-Time-Change
Circular 1052672 0 WEC4-Windows-Updates
Circular 1052672 0 WEC4-Wireless
Circular 1052672 0 WEC5-Autoruns
Circular 1052672 0 WEC5-Certificate-Authority
Circular 1052672 0 WEC5-Crypto-API
Circular 1052672 0 WEC5-Log-Deletion-Security
Circular 1052672 0 WEC5-Log-Deletion-System
Circular 1052672 0 WEC5-MSI-Packages
Circular 1052672 0 WEC5-Operating-System
Circular 1052672 0 WEC6-ADFS
Circular 1052672 0 WEC6-Device-Guard
Circular 1052672 0 WEC6-Duo-Security
Circular 1052672 0 WEC6-Exploit-Guard
Circular 1052672 0 WEC6-Microsoft-Office
Circular 1052672 0 WEC6-Software-Restriction-Pol
Circular 1052672 0 WEC6-Sysmon
Circular 1052672 0 WEC7-Active-Directory
Circular 1052672 0 WEC7-Privilege-Use
Circular 1052672 0 WEC7-Terminal-Services
Event Subscriptions
In this section we will add the new WEC (Windows Event Collector) subscriptions. After the subscriptions are enabled, we will update the log maximum sizes, force the Domain Controller and workstation to accept new Group Policy changes, reboot and validate that the subscription feeds are working appropriately.
Install WEC subscriptions
To install the WEC subscriptions, we will first change directory into the WEF-Master repo. We will then run a for loop that executes wecutil "cs" for each subscription. The "cs" argument is used to Create Subscription
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
For Loop to Install Subscriptions
cd C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\wef-subscriptions
ls
foreach ($file in (Get-ChildItem *.xml)) {wecutil cs $file}
PS C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\wef-subscriptions> ls
Directory: C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\wef-subscriptions
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/20/2020 8:49 PM 1471 Account-Lockout.xml
-a---- 9/20/2020 8:49 PM 6041 Account-Management.xml
-a---- 9/20/2020 8:49 PM 2953 Active-Directory.xml
-a---- 9/20/2020 8:49 PM 1577 ADFS.xml
-a---- 9/20/2020 8:49 PM 1588 Application-Crashes.xml
-a---- 9/20/2020 8:49 PM 1800 Applocker.xml
-a---- 9/20/2020 8:49 PM 3190 Authentication.xml
-a---- 9/20/2020 8:49 PM 1194 Autoruns.xml
-a---- 9/20/2020 8:49 PM 1334 Bits-Client.xml
-a---- 9/20/2020 8:49 PM 1480 Certificate-Authority.xml
-a---- 9/20/2020 8:49 PM 2067 Code-Integrity.xml
-a---- 9/20/2020 8:49 PM 1252 Device-Guard.xml
-a---- 9/20/2020 8:49 PM 2302 DNS.xml
-a---- 9/20/2020 8:49 PM 1704 Drivers.xml
-a---- 9/20/2020 8:49 PM 1228 Duo-Security.xml
-a---- 9/20/2020 8:49 PM 1442 EMET.xml
-a---- 9/20/2020 8:49 PM 1829 Event-Log-Diagnostics.xml
-a---- 9/20/2020 8:49 PM 1536 Explicit-Credentials.xml
-a---- 9/20/2020 8:49 PM 1783 Exploit-Guard-ASR.xml
-a---- 9/20/2020 8:49 PM 1651 Exploit-Guard-CFA.xml
-a---- 9/20/2020 8:49 PM 1879 Exploit-Guard-EP.xml
-a---- 9/20/2020 8:49 PM 1809 Exploit-Guard-NP.xml
-a---- 9/20/2020 8:49 PM 2529 External-Devices.xml
-a---- 9/20/2020 8:49 PM 4771 Firewall.xml
-a---- 9/20/2020 8:49 PM 1976 Group-Policy-Errors.xml
-a---- 9/20/2020 8:49 PM 1704 Kerberos.xml
-a---- 9/20/2020 8:49 PM 1336 Log-Deletion-Security.xml
-a---- 9/20/2020 8:49 PM 1323 Log-Deletion-System.xml
-a---- 9/20/2020 8:49 PM 1219 Microsoft-Office.xml
-a---- 9/20/2020 8:49 PM 2623 MSI-Packages.xml
-a---- 9/20/2020 8:49 PM 1676 NTLM.xml
-a---- 9/20/2020 8:49 PM 1856 Object-Manipulation.xml
-a---- 9/20/2020 8:49 PM 5366 Operating-System.xml
-a---- 9/20/2020 8:49 PM 1670 PowerShell.xml
-a---- 9/20/2020 8:49 PM 1329 Print.xml
-a---- 9/20/2020 8:49 PM 1547 Privilege-Use.xml
-a---- 9/20/2020 8:49 PM 1505 Process-Execution.xml
-a---- 9/20/2020 8:49 PM 4775 README.md
-a---- 9/20/2020 8:49 PM 1601 Registry.xml
-a---- 9/20/2020 8:49 PM 2282 Services.xml
-a---- 9/20/2020 8:49 PM 2304 Shares.xml
-a---- 9/20/2020 8:49 PM 1413 Smart-Card.xml
-a---- 9/20/2020 8:49 PM 1868 Software-Restriction-Policies.xml
-a---- 9/20/2020 8:49 PM 1228 Sysmon.xml
-a---- 9/20/2020 8:49 PM 1276 System-Time-Change.xml
-a---- 9/20/2020 8:49 PM 1842 Task-Scheduler.xml
-a---- 9/20/2020 8:49 PM 3469 Terminal-Services.xml
-a---- 9/20/2020 8:49 PM 1588 Windows-Defender.xml
-a---- 9/20/2020 8:49 PM 1388 Windows-Diagnostics.xml
-a---- 9/20/2020 8:49 PM 1674 Windows-Updates.xml
-a---- 9/20/2020 8:49 PM 1459 Wireless.xml
-a---- 9/20/2020 8:49 PM 1627 WMI.xml
PS C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\wef-subscriptions> foreach ($file in (Get-ChildItem *.xml)) {wecutil cs $file}
PS C:\LABS\LabPack\LABPACK-master\Lab-WEF-Palantir\wef-subscriptions>
Note that the "foreach" wecutil loop does not return a response upon successful completion.
Resize Log Container Buckets
We will now resize the log containers to an appropriate size for the increased optics log volume.
Check current log maximum size.
We will use the "wevtutil" "gl" argument to GetLog metadata information. Note the maximum size of the log. Here we sample the "WEC3-PRINT" log as a sample query.
Wevtutil gl WEC3-PRINT
PS C:\Users\itadmin> Wevtutil gl WEC3-PRINT
name: WEC3-PRINT
enabled: true
type: Operational
owningPublisher: WEC3
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33
)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\WEC3-PRINT.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
PS C:\Users\itadmin>
Note the "maxSize" value.
Increase log maximum size.
We will use the wevtutil "sl" argument in a for loop to increase the maximum size of all of the WEC subscription containers.
foreach ($subscription in (wevtutil el | select-string -pattern "WEC")) {wevtutil sl $subscription /ms:4194304}
Note that successful completion of this returns no error messages.
Confirm updated maximum size.
We will use the "wevtutil" "gl" argument to GetLog metadata information. Note the maximum size of the log. Here we sample the "WEC3-PRINT" log as a sample query.
Wevtutil gl WEC3-PRINT
PS C:\Users\itadmin> Wevtutil gl WEC3-PRINT
name: WEC3-PRINT
enabled: true
type: Operational
owningPublisher: WEC3
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33
)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\WEC3-PRINT.evtx
retention: false
autoBackup: false
maxSize: 4194304
publishing:
fileMax: 1
Note the updated maxSize value.
GPOUpdate, Reboot, and Validate.
It is now necessary to run GPUdate /force on both the Domain Controller and Workstation ,followed by a reboot of each. These must be done in order to allow the Windows Event Forwarding and Collection services to work properly.
Domain Controller GPUpdate and reboot.
From the domain controller in PowerShell, run the following commands to update the applied DC Group Policies into running cache and reboot.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Group Policy Update (Force)
gpupdate /force
Restart-Computer
PS C:\Users\itadmin> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\Users\itadmin> Restart-Computer
This will update the Group Policy cache and Restart the Domain Controller.
Member Server GPUpdate and reboot.
After approximately one minute, From the Member Server (WS01), open PowerShell and, run the following commands to update the applied DC Group Policies into running cache and reboot.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
gpupdate /force
Restart-Computer
PS C:\Users\itadmin> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\Users\itadmin> Restart-Computer
This will update the Group Policy cache and Restart the Member Server.
