Re: Local Security Policy on domain controller?

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 04/30/03


Date: Wed, 30 Apr 2003 14:11:50 -0700


A google search for "security configuration templates" turns up a fair
number of links. Here are a few documents that might be helpful.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/sag_scewhatis.asp
http://www.ists.dartmouth.edu/IRIA/knowledge_base/sectemplates/sectemplates.htm
http://nsa2.www.conxion.com/win2k/download.htm

You are right. Some settings require a reboot and others don't.
Unfortunately, I don't believe that a comprehensive list detailing settings
which require a reboot has been created.

I assume you mean the *.log files in %windir%\security. Those are database
transaction logs like you determined.

N

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"B. Goodman" <no@spam.org> wrote in message
news:MPG.1919b6ec99f2ef44989701@msnews.microsoft.com...
> In article <eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl>,
> nfinco@online.microsoft.com says...
> > It's so close to affecting the local policy that I probably shouldn't
have
> > brought it up and my wording should have been different.  In the long
run,
> > it will affect local security policy, just not immediately.
> >
> > SCA configures the settings from a security template directly on the
system.
> > It doesn't touch local policy.  If you configure using SCA, you'll
actually
> > see a discrepency between the current system settings and what local
policy
> > reflects.  That doesn't last forever though.  At the next policy
refresh,
> > the local policy will detect this change and import what you configured
into
> > local policy.  After that point you won't see a discrepency.  If your
local
> > security database is corrupt though, your settings won't be updated in
local
> > policy and local policy won't apply to the system when policy refreshes.
> > SCA would still work because it sets settings directly on the machine.
> >
> > The processing of the local security policy was changed on WinXP just
> > because of this issue.
> >
> > N
> >
> >
> Nick,
>
> Do you have any reference material that explains these things in depth?
> We have been trying to work with the SCA Tool and Secedit to configure
> Win 2K Pro machines, but sometimes the behavior of these tools seems
> "flaky".  Some changes seemed to only apply after multiple reboots while
> others seemed to take effect sooner.
>
> In addition to the .sdb files and .inf files, do the log files (.log)
> come into play?  Do any of the log files temporarily "hold" security
> configuration changes (like a database log might "hold" changes until
> committed to the database)?
>
> I'm trying to expand my layman's knowledge of these tools, so I would
> very much appreciate your expertise!
>
> Regards,
>
>
>
> B. Goodman