Re: Local Security Policy on domain controller?

From: Daniel Billingsley (dbillingsley_at_NO.durcon.SPAAMM.com)
Date: 04/29/03 

Date: Tue, 29 Apr 2003 16:18:21 -0400

Ah, so the Help is a little misleading, but from a pragmatic point of view
it's not a terribly big deal.

"Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
news:eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl...
> It's so close to affecting the local policy that I probably shouldn't have
> brought it up and my wording should have been different. In the long run,
> it will affect local security policy, just not immediately.
>
> SCA configures the settings from a security template directly on the
system.
> It doesn't touch local policy. If you configure using SCA, you'll
actually
> see a discrepency between the current system settings and what local
policy
> reflects. That doesn't last forever though. At the next policy refresh,
> the local policy will detect this change and import what you configured
into
> local policy. After that point you won't see a discrepency. If your
local
> security database is corrupt though, your settings won't be updated in
local
> policy and local policy won't apply to the system when policy refreshes.
> SCA would still work because it sets settings directly on the machine.
>
> The processing of the local security policy was changed on WinXP just
> because of this issue.
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Any included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in message
> news:#sqrdQkDDHA.2384@TK2MSFTNGP12.phx.gbl...
> > What? This paragraph from Win2k Help seems to suggest that affecting
> local
> > policy is precisely what SCA does.
> >
> > "This tool can also be used to directly configure local system security.
> > Through its use of personal databases, you can import security templates
> > created with the Security Templates snap-in, and apply these templates
to
> > the Group Policy object for the local computer. This immediately
> configures
> > the system security with the levels specified in the template."
> >
> > What am I missing?
> >
> >
> > The secedit.sdb integrity checks out fine.
> >
> >
> >
> >
> >
> > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> > news:%233NXLNfDDHA.2100@TK2MSFTNGP11.phx.gbl...
> >
> > > The Security Configuration and Analysis tool configures the settings
in
> > the
> > > security template directly to the computer you run it on. It doesn't
> > affect
> > > Local or Domain policies.
> > >
> > > The first is correct behavior. Run "esentutl /g
> > > %windir%\security\database\secedit.sdb" to see if your local security
> > policy
> > > DB is corrupt. If it is, this KB has some instructions on fixing it.
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;278316
> > >
> > > N
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Any included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > >
> > > "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in
> message
> > > news:Op6J1lcDDHA.2892@TK2MSFTNGP11.phx.gbl...
> > > > I have two domain controllers. One one I can run the Local Security
> > > Policy
> > > > program fine. On the other when I select Local Policies / Security
> > Options
> > > > it comes back with the message
> > > >
> > > > Windows cannot open the local policy database.
> > > >
> > > > The database you are attempting to open does not exist.
> > > >
> > > > Which is the correct behavior? If your answer is the second because
> the
> > > > Domain Controller Security Policy tool should be used on a DC
anyway,
> > then
> > > I
> > > > have another question. What is really happening when you use the
> > Security
> > > > Configuration and Analysis tool to "configure" the security settings
> on
> > a
> > > > domain controller? Are you really setting the DC Security Policy?
> The
> > > way
> > > > I understand things all that really is is a GPO that's applied to
the
> DC
> > > OU,
> > > > so there's nothing really magical about it.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... >> Server Security and Auditing Policy ... >> The settings in this GPO can only apply to the following groups, users, ... >> Windows Firewall: Allow file and printer sharing exception Enabled ...
    (microsoft.public.win2000.group_policy)
  • Re: CompanyWeb - Password Dialogue Box in Terminal Server only
    ... Configure trusted sites and security settings of IE using policy ... one XP workstation with the problematic user account and setup RDP session ...
    (microsoft.public.windows.server.sbs)
  • Group Policy Case Solved
    ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
    (microsoft.public.win2000.security)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)