Re: Local Security Policy on domain controller?

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 04/30/03


Date: Wed, 30 Apr 2003 14:11:50 -0700


A google search for "security configuration templates" turns up a fair
number of links. Here are a few documents that might be helpful.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/sag_scewhatis.asp
http://www.ists.dartmouth.edu/IRIA/knowledge_base/sectemplates/sectemplates.htm
http://nsa2.www.conxion.com/win2k/download.htm

You are right. Some settings require a reboot and others don't.
Unfortunately, I don't believe that a comprehensive list detailing settings
which require a reboot has been created.

I assume you mean the *.log files in %windir%\security. Those are database
transaction logs like you determined.

N

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"B. Goodman" <no@spam.org> wrote in message
news:MPG.1919b6ec99f2ef44989701@msnews.microsoft.com...
> In article <eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl>,
> nfinco@online.microsoft.com says...
> > It's so close to affecting the local policy that I probably shouldn't
have
> > brought it up and my wording should have been different.  In the long
run,
> > it will affect local security policy, just not immediately.
> >
> > SCA configures the settings from a security template directly on the
system.
> > It doesn't touch local policy.  If you configure using SCA, you'll
actually
> > see a discrepency between the current system settings and what local
policy
> > reflects.  That doesn't last forever though.  At the next policy
refresh,
> > the local policy will detect this change and import what you configured
into
> > local policy.  After that point you won't see a discrepency.  If your
local
> > security database is corrupt though, your settings won't be updated in
local
> > policy and local policy won't apply to the system when policy refreshes.
> > SCA would still work because it sets settings directly on the machine.
> >
> > The processing of the local security policy was changed on WinXP just
> > because of this issue.
> >
> > N
> >
> >
> Nick,
>
> Do you have any reference material that explains these things in depth?
> We have been trying to work with the SCA Tool and Secedit to configure
> Win 2K Pro machines, but sometimes the behavior of these tools seems
> "flaky".  Some changes seemed to only apply after multiple reboots while
> others seemed to take effect sooner.
>
> In addition to the .sdb files and .inf files, do the log files (.log)
> come into play?  Do any of the log files temporarily "hold" security
> configuration changes (like a database log might "hold" changes until
> committed to the database)?
>
> I'm trying to expand my layman's knowledge of these tools, so I would
> very much appreciate your expertise!
>
> Regards,
>
>
>
> B. Goodman


Relevant Pages

  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... >> Server Security and Auditing Policy ... >> The settings in this GPO can only apply to the following groups, users, ... >> Windows Firewall: Allow file and printer sharing exception Enabled ...
    (microsoft.public.win2000.group_policy)
  • Re: CompanyWeb - Password Dialogue Box in Terminal Server only
    ... Configure trusted sites and security settings of IE using policy ... one XP workstation with the problematic user account and setup RDP session ...
    (microsoft.public.windows.server.sbs)
  • Group Policy Case Solved
    ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
    (microsoft.public.win2000.security)