RE: security policy 'not specified' option
From: Alexander Suhovey (asuhovey_at_mtu-net.ru)
Date: 10/21/05
- Previous message: Slawek: "Re: security policy 'not specified' option"
- In reply to: matthew patton: "security policy 'not specified' option"
- Next in thread: Thor (Hammer of God): "Re: security policy 'not specified' option"
- Reply: Thor (Hammer of God): "Re: security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'matthew patton'" <pattonme@yahoo.com>, <focus-ms@securityfocus.com> Date: Fri, 21 Oct 2005 12:51:02 +0400
> -----Original Message-----
> From: matthew patton [mailto:pattonme@yahoo.com]
> Sent: Friday, October 21, 2005 12:57 AM
> To: focus-ms@securityfocus.com
> Subject: security policy 'not specified' option
>
> Some time back I used a security policy editor that had 3 options:
> enabled, disabled, and 'unset'. By not setting it either way, the
> machine inherited the domain settings.
Actually, group policy precedence works opposite way. The principle called
LSDOU which stands for "Local > Site > Domain-wide > OU" [1]. Domain
policies have higher priority since they are applied later. So if particular
policy is defined on any of domain levels it will take precedence over local
policy. On that note, you don't _have_ to configure local policies on domain
computers since you could always use domain policies which are much easier
to manage.
> Unfortunately the standard
> system policy editors shipped with 2K/2K3/XP don't appear to have that
> 3rd option which means now I've got all kinds of machine running with
> who knows what setting and ignoring the domain policy. And once you've
> selected en/disabled via the radio box, there isn't a way to unset it.
> How do I dig myself out of this?
For this you can use Security Templates MMC snap-in to create a policy
template (inf file). You can also export current policy using secedit.exe
command line tool. Then distribute it to your client computers. You can:
- import template using secpol.msc MMC snap-in
- apply template using Security Configuration and Analysis snap-in
- apply template using secedit.exe
For more information on this please refer to built-in Windows help [2].
References (watch for line wraps):
[1] "Windows 2000 Security Policies Overview"
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/win2
kpol/w2kadm02.mspx
[2]"Automating security configuration tasks"
Start > Run > hh.exe
ms-its:%windr%\Help\secedit.chm::/sag_SECedittopnode.htm
-- Al --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Slawek: "Re: security policy 'not specified' option"
- In reply to: matthew patton: "security policy 'not specified' option"
- Next in thread: Thor (Hammer of God): "Re: security policy 'not specified' option"
- Reply: Thor (Hammer of God): "Re: security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
