RE: security policy 'not specified' option
From: Derick Anderson (danderson_at_vikus.com)
Date: 10/21/05
- Previous message: AlonsoII: "Account Lockout Policy"
- Maybe in reply to: matthew patton: "security policy 'not specified' option"
- Next in thread: Laura A. Robinson: "RE: security policy 'not specified' option"
- Reply: Laura A. Robinson: "RE: security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Oct 2005 07:57:31 -0400 To: "matthew patton" <pattonme@yahoo.com>, <focus-ms@securityfocus.com>
> -----Original Message-----
> From: matthew patton [mailto:pattonme@yahoo.com]
> Sent: Thursday, October 20, 2005 4:57 PM
> To: focus-ms@securityfocus.com
> Subject: security policy 'not specified' option
>
> Some time back I used a security policy editor that had 3 options:
> enabled, disabled, and 'unset'. By not setting it either way,
> the machine inherited the domain settings. Unfortunately the
> standard system policy editors shipped with 2K/2K3/XP don't
> appear to have that 3rd option which means now I've got all
> kinds of machine running with who knows what setting and
> ignoring the domain policy. And once you've selected
> en/disabled via the radio box, there isn't a way to unset it.
> How do I dig myself out of this?
>
> I probably can play Registry Magic and accomplish what I need
> but I could have sworn I had a tool that would let me do what
> I used to be able to do.
>
> any ideas?
>
I use Microsoft's Group Policy Management Console (GPMC) so I can't
verify my recollection on the standard Windows 2003 Group Policy editor,
but as I recall, there are usually three options: "enabled", "disabled",
and "not defined". When you choose "not defined", the local security
policy looks up the Group Policy chain by default (you can change it) in
the following order:
1. Enforced Policies from top-level down
2. Local OU GPOs
3. Parent OU GPOs from the bottom-level up
4. Microsoft defaults
By default, the Resultant Set of Policy (RSoP) for the domain is applied
to the local computer. I don't know if you can turn this off (and why?)
but by default it works. I would advise getting the GPMC as it makes the
whole Group Policy process easier to understand and implement.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4
b35-9272-dd3cbfc81887&DisplayLang=en
If you think that the machines aren't getting the group policy (and they
are Windows XP/2003-based) you can run gpupdate /force to apply the
domain group policy and then check the event log to see if there were
any errors. Also you should run netdiag and dcdiag on your domain
controllers to make sure things are working happily.
As a test, set the Computer Configuration -> Windows Settings ->
Security Settings -> Local Policies/Security Options -> Interactive
Logon: "Message text for users attempting to log on" to something and
then see if your domain computers start displaying the message.
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: AlonsoII: "Account Lockout Policy"
- Maybe in reply to: matthew patton: "security policy 'not specified' option"
- Next in thread: Laura A. Robinson: "RE: security policy 'not specified' option"
- Reply: Laura A. Robinson: "RE: security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
