Re: Local Security Policy on domain controller?

From: Nick Finco [MSFT] (
Date: 04/30/03

Date: Wed, 30 Apr 2003 14:11:50 -0700

A google search for "security configuration templates" turns up a fair
number of links. Here are a few documents that might be helpful.

You are right. Some settings require a reboot and others don't.
Unfortunately, I don't believe that a comprehensive list detailing settings
which require a reboot has been created.

I assume you mean the *.log files in %windir%\security. Those are database
transaction logs like you determined.


This posting is provided "AS IS" with no warranties, and confers no rights.
Any included script samples are subject to the terms specified at
"B. Goodman" <> wrote in message
> In article <eF4711nDDHA.2288@TK2MSFTNGP12.phx.gbl>,
> says...
> > It's so close to affecting the local policy that I probably shouldn't
> > brought it up and my wording should have been different.  In the long
> > it will affect local security policy, just not immediately.
> >
> > SCA configures the settings from a security template directly on the
> > It doesn't touch local policy.  If you configure using SCA, you'll
> > see a discrepency between the current system settings and what local
> > reflects.  That doesn't last forever though.  At the next policy
> > the local policy will detect this change and import what you configured
> > local policy.  After that point you won't see a discrepency.  If your
> > security database is corrupt though, your settings won't be updated in
> > policy and local policy won't apply to the system when policy refreshes.
> > SCA would still work because it sets settings directly on the machine.
> >
> > The processing of the local security policy was changed on WinXP just
> > because of this issue.
> >
> > N
> >
> >
> Nick,
> Do you have any reference material that explains these things in depth?
> We have been trying to work with the SCA Tool and Secedit to configure
> Win 2K Pro machines, but sometimes the behavior of these tools seems
> "flaky".  Some changes seemed to only apply after multiple reboots while
> others seemed to take effect sooner.
> In addition to the .sdb files and .inf files, do the log files (.log)
> come into play?  Do any of the log files temporarily "hold" security
> configuration changes (like a database log might "hold" changes until
> committed to the database)?
> I'm trying to expand my layman's knowledge of these tools, so I would
> very much appreciate your expertise!
> Regards,
> B. Goodman