Re: Local Security Policy on domain controller?

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 04/29/03 

Date: Tue, 29 Apr 2003 11:30:47 -0700

It's so close to affecting the local policy that I probably shouldn't have
brought it up and my wording should have been different. In the long run,
it will affect local security policy, just not immediately.

SCA configures the settings from a security template directly on the system.
It doesn't touch local policy. If you configure using SCA, you'll actually
see a discrepency between the current system settings and what local policy
reflects. That doesn't last forever though. At the next policy refresh,
the local policy will detect this change and import what you configured into
local policy. After that point you won't see a discrepency. If your local
security database is corrupt though, your settings won't be updated in local
policy and local policy won't apply to the system when policy refreshes.
SCA would still work because it sets settings directly on the machine.

The processing of the local security policy was changed on WinXP just
because of this issue.

N 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in message
news:#sqrdQkDDHA.2384@TK2MSFTNGP12.phx.gbl...
> What?  This paragraph from Win2k Help seems to suggest that affecting
local
> policy is precisely what SCA does.
>
> "This tool can also be used to directly configure local system security.
> Through its use of personal databases, you can import security templates
> created with the Security Templates snap-in, and apply these templates to
> the Group Policy object for the local computer. This immediately
configures
> the system security with the levels specified in the template."
>
> What am I missing?
>
>
> The secedit.sdb integrity checks out fine.
>
>
>
>
>
> "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> news:%233NXLNfDDHA.2100@TK2MSFTNGP11.phx.gbl...
>
> > The Security Configuration and Analysis tool configures the settings in
> the
> > security template directly to the computer you run it on.  It doesn't
> affect
> > Local or Domain policies.
> >
> > The first is correct behavior.  Run "esentutl /g
> > %windir%\security\database\secedit.sdb" to see if your local security
> policy
> > DB is corrupt.  If it is, this KB has some instructions on fixing it.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;278316
> >
> > N
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Any included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in
message
> > news:Op6J1lcDDHA.2892@TK2MSFTNGP11.phx.gbl...
> > > I have two domain controllers.  One one I can run the Local Security
> > Policy
> > > program fine. On the other when I select Local Policies / Security
> Options
> > > it comes back with the message
> > >
> > > Windows cannot open the local policy database.
> > >
> > > The database you are attempting to open does not exist.
> > >
> > > Which is the correct behavior?  If your answer is the second because
the
> > > Domain Controller Security Policy tool should be used on a DC anyway,
> then
> > I
> > > have another question.  What is really happening when you use the
> Security
> > > Configuration and Analysis tool to "configure" the security settings
on
> a
> > > domain controller?  Are you really setting the DC Security Policy?
The
> > way
> > > I understand things all that really is is a GPO that's applied to the
DC
> > OU,
> > > so there's nothing really magical about it.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... The report you cite is CheckPoint originated and deals with older NetScreen ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ...
    (Firewall-Wizards)