Re: Local Security Policy on domain controller?
From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: Wed, 30 Apr 2003 14:11:50 -0700
A google search for "security configuration templates" turns up a fair
number of links. Here are a few documents that might be helpful.
You are right. Some settings require a reboot and others don't.
Unfortunately, I don't believe that a comprehensive list detailing settings
which require a reboot has been created.
I assume you mean the *.log files in %windir%\security. Those are database
transaction logs like you determined.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "B. Goodman" <email@example.com> wrote in message news:MPG.firstname.lastname@example.org... > In article <eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl>, > email@example.com says... > > It's so close to affecting the local policy that I probably shouldn't have > > brought it up and my wording should have been different. In the long run, > > it will affect local security policy, just not immediately. > > > > SCA configures the settings from a security template directly on the system. > > It doesn't touch local policy. If you configure using SCA, you'll actually > > see a discrepency between the current system settings and what local policy > > reflects. That doesn't last forever though. At the next policy refresh, > > the local policy will detect this change and import what you configured into > > local policy. After that point you won't see a discrepency. If your local > > security database is corrupt though, your settings won't be updated in local > > policy and local policy won't apply to the system when policy refreshes. > > SCA would still work because it sets settings directly on the machine. > > > > The processing of the local security policy was changed on WinXP just > > because of this issue. > > > > N > > > > > Nick, > > Do you have any reference material that explains these things in depth? > We have been trying to work with the SCA Tool and Secedit to configure > Win 2K Pro machines, but sometimes the behavior of these tools seems > "flaky". Some changes seemed to only apply after multiple reboots while > others seemed to take effect sooner. > > In addition to the .sdb files and .inf files, do the log files (.log) > come into play? Do any of the log files temporarily "hold" security > configuration changes (like a database log might "hold" changes until > committed to the database)? > > I'm trying to expand my layman's knowledge of these tools, so I would > very much appreciate your expertise! > > Regards, > > > > B. Goodman