Re: Local Security Policy on domain controller?

From: B. Goodman (no_at_spam.org)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 11:33:54 -0400

In article <eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl>,
nfinco@online.microsoft.com says...
> It's so close to affecting the local policy that I probably shouldn't have
> brought it up and my wording should have been different. In the long run,
> it will affect local security policy, just not immediately.
>
> SCA configures the settings from a security template directly on the system.
> It doesn't touch local policy. If you configure using SCA, you'll actually
> see a discrepency between the current system settings and what local policy
> reflects. That doesn't last forever though. At the next policy refresh,
> the local policy will detect this change and import what you configured into
> local policy. After that point you won't see a discrepency. If your local
> security database is corrupt though, your settings won't be updated in local
> policy and local policy won't apply to the system when policy refreshes.
> SCA would still work because it sets settings directly on the machine.
>
> The processing of the local security policy was changed on WinXP just
> because of this issue.
>
> N
>
>
Nick,

Do you have any reference material that explains these things in depth?
We have been trying to work with the SCA Tool and Secedit to configure
Win 2K Pro machines, but sometimes the behavior of these tools seems
"flaky". Some changes seemed to only apply after multiple reboots while
others seemed to take effect sooner.

In addition to the .sdb files and .inf files, do the log files (.log)
come into play? Do any of the log files temporarily "hold" security
configuration changes (like a database log might "hold" changes until
committed to the database)?

I'm trying to expand my layman's knowledge of these tools, so I would
very much appreciate your expertise!

Regards,

B. Goodman

Relevant Pages

  • Re: local security policy in a 2003 Domain
    ... When settings are disabled like that in local policy, ... If I go in the local security policy,> security ...
    (microsoft.public.security)
  • Re: Local Policy reverting back to old settings
    ... knowing that this would revert back. ... puts the original local settings back into play. ... We do a scripted install, then apply and local policy settings, and put ... the machines to follow do not have the problem. ...
    (microsoft.public.windows.group_policy)
  • Re: Local Policy reverting back to old settings
    ... Have also made the changes via gpedit thinking that this would change the policy, but after the password change, not expired, it reverts back to the original settings, it definately relates to the password change, so it seems that every three months when that password chg GPO comes into play it also puts the original local settings back into play. ... We do a scripted install, then apply and local policy settings, and put software in place. ... I'm not sure if that will shed any light into what happens, other than those first machines revert back to that original policy they were born with. ...
    (microsoft.public.windows.group_policy)
  • Re: Local Policy reverting back to old settings
    ... reversions you have done get undone (or is it only if the password ... I notice that you are discussing two User policy settings, and also, ... Are you sure this is happening on machines where use of gpedit ... it seems that as soon as the user does this, the old local policy settings ...
    (microsoft.public.windows.group_policy)
  • Re: Possible Bad Question
    ... > question states that the Local Policy locks her out after 3 attempts ... > the DDC GPO, wouldn't the Domain policy OVERRIDE the Local policy? ... >> the DDC GPO settings not DD GPO settings. ...
    (microsoft.public.cert.exam.mcsa)