RE: security policy 'not specified' option

From: Alexander Suhovey (
Date: 10/21/05

  • Next message: Cristian Brolin: "Change Password"
    To: "'matthew patton'" <>, <>
    Date: Fri, 21 Oct 2005 12:51:02 +0400

    > -----Original Message-----
    > From: matthew patton []
    > Sent: Friday, October 21, 2005 12:57 AM
    > To:
    > Subject: security policy 'not specified' option
    > Some time back I used a security policy editor that had 3 options:
    > enabled, disabled, and 'unset'. By not setting it either way, the
    > machine inherited the domain settings.

    Actually, group policy precedence works opposite way. The principle called
    LSDOU which stands for "Local > Site > Domain-wide > OU" [1]. Domain
    policies have higher priority since they are applied later. So if particular
    policy is defined on any of domain levels it will take precedence over local
    policy. On that note, you don't _have_ to configure local policies on domain
    computers since you could always use domain policies which are much easier
    to manage.

    > Unfortunately the standard
    > system policy editors shipped with 2K/2K3/XP don't appear to have that
    > 3rd option which means now I've got all kinds of machine running with
    > who knows what setting and ignoring the domain policy. And once you've
    > selected en/disabled via the radio box, there isn't a way to unset it.
    > How do I dig myself out of this?

    For this you can use Security Templates MMC snap-in to create a policy
    template (inf file). You can also export current policy using secedit.exe
    command line tool. Then distribute it to your client computers. You can:
    - import template using secpol.msc MMC snap-in
    - apply template using Security Configuration and Analysis snap-in
    - apply template using secedit.exe

    For more information on this please refer to built-in Windows help [2].

    References (watch for line wraps):

    [1] "Windows 2000 Security Policies Overview"

    [2]"Automating security configuration tasks"
    Start > Run > hh.exe


  • Next message: Cristian Brolin: "Change Password"

    Relevant Pages

    • Re: IPSEC Policy to secure TS
      ... >"How to Create and Enable IPSec Policy to Secure ... >After the IP Security Policy Wizard starts, ... >2) the client policy is rather broad and might need ...
    • Re: IPSEC Policy to secure TS
      ... "How to Create and Enable IPSec Policy to Secure Terminal Services ... After the IP Security Policy Wizard starts, ... Click to expand Security Settings in the left pane, right-click the Client ...
    • Re: security template file import
      ... DC's sysvol whenever policy propagation occurs on the client. ... where there is a duplicate service in the template. ... GPO where the template is coming from. ... Winlogon.log records what the security policy extension to the group policy ...
    • Re: Limit number of login attemps on Windows server 2003 - where to set this up?
      ... An example change which you would make using the DC Security Policy and not ... and the Domain Controller Security Policy only applies to Domain ... > server exists to serve the clients, so what would you change on the DC, ...
    • Re: [fw-wiz] Security and Audit Policy
      ... Enabling firewall rules without a solid security policy and management ... nameserver (I don't like clients resolving directly in any circumstance.) ...