RE: local security policy
From: Kolde, Jennifer E. (jkolde@nosc.mil)Date: 07/19/02
- Previous message: jmcguire@sbcs.com: "Re: Need security proposal for Win2K upgrade..."
- Maybe in reply to: C.B.: "local security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kolde, Jennifer E." <jkolde@nosc.mil> To: "'C.B.'" <scdealy@debris.ca>, "'Smith, Ricky D.'" <RICKY.D.SMITH@saic.com> Date: Fri, 19 Jul 2002 10:30:50 -0700
Hello C.B.,
"Administrative Templates" are part of Group Policy (whether configured
through a Windows domain or through the Local Group Policy Object (LGPO -
access this via Start -> Run -> gpedit.msc). The settings defined in
Administrative Templates are not defined/exposed in the templates available
through the Security Templates. (The templates are equivalent to the
Computer Configuration -> Windows Settings -> Security Settings portion of
Group Policy).
In short, the Security Templates and Security Configuration and Analysis
only expose a small subset of everything you can configure through Group
Policy.
There are a couple of things you can try to export your Administrative
Templates settings:
1. If you have a Win2K domain, configure those settings as part of your
domain Group Policy and they will be automatically applied to domain
members.
2. Administrative Templates settings are defined in the following files:
- system.adm
- inetres.adm
- conf.adm
When you configure the Administrative Templates through the Group Policy
Editor GUI, the changes are saved as registry.pol and saved in
\winnt\system32\GroupPolicy\Machine (for the LGPO) or in the \winnt\SYSVOL\
folder structure for domain policies. Registry.pol contains all the
registry-related changes made to your GPO.
You may be able to simply copy registry.pol between systems in order to
apply the Administrative Templates changes (have not tried it, YMMV).
3. You can manually edit the template *.inf files to add settings that are
not part of the default templates. See KB article Q214752 for how to do
this.
Hope this helps.
Regards,
Jennifer Kolde
-----Original Message-----
From: C.B. [mailto:scdealy@debris.ca]
Sent: Thursday, July 18, 2002 4:10 PM
To: 'Smith, Ricky D.'
Cc: ssgill@gilltechnologies.com; focus-ms@securityfocus.com
Subject: RE: local security policy
Hi Rick,
Yes I am using the security config and analysis snap-in to create the
template. I still can't figure out why all of the security settings that
I define in the local computer policy's administrative templates aren't
included in my exported template.
Right now the only way that I know how to get those settings applied to
my windows servers is to track every registry entry that I change
through those administrative templates. Then I can either modify the
registry directly through a batch file or maybe add them to the security
configuration editor (as described in MS KB article Q214752), and then
create the template.
This whole approach seems like way too much work. Anybody have better
ideas for me?
Thanks,
CB
-----Original Message-----
From: Smith, Ricky D. [mailto:RICKY.D.SMITH@saic.com]
Sent: Thursday, July 18, 2002 5:01 AM
To: 'ssgill@gilltechnologies.com'; C.B.; focus-ms@securityfocus.com
Subject: RE: local security policy
C.B.
Are you sure you're exporting a security template using the Security
Configuration and Analysis snap-in?
I thought the Security Template snap-in was used to create or edit the
templates. The SCA or secedit.exe was used to apply the template to a
specific machine.
-- --
Rick Smith
MCSE+I, MCSE (Win2K), GCWN
-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill@gilltechnologies.com]
Sent: Friday, July 05, 2002 1352
To: C.B.; focus-ms@securityfocus.com
Subject: RE: local security policy
Hi C.B.
Could it be that a default policy on the target computer (the one you
are
applying the exported policy) is over writing your imported changes.
Kind Regards
Gill
-----Original Message-----
From: C.B. [mailto:scdealy@debris.ca]
Sent: Friday, July 05, 2002 10:26 AM
To: focus-ms@securityfocus.com
Subject: local security policy
Hi all,
I'm trying automate the configuration of security settings on new w2k
server installs. The servers will all be standalone servers. Part of my
plan is to have settings defined in the local security policy be applied
from a script.
I can export local security policy settings by using the security
configuration and analysis snap-in. Then I can use secedit to apply
that exported template to new servers in post-installation scripts.
The problem I'm having is that I don't know why any changes made in the
"administrative templates" don't seem to be included in the exported
template. When I apply this template to the new server all of those
settings are "not defined"
Are those security settings exported/saved/applied a different way than
the rest of the local security policy settings?
Any help would be appreciated.
Thanks,
CB
- Previous message: jmcguire@sbcs.com: "Re: Need security proposal for Win2K upgrade..."
- Maybe in reply to: C.B.: "local security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
