Re: Security config and analysis on AD DC

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 06/25/03 

Date: Wed, 25 Jun 2003 02:47:54 GMT

       You can export your security settings [ machine or effective] into a
.inf template that you can use as sort of a backup. That option will appear
if you right click security settings. Keep in mind that any security
settings that are defined at the domain or particularly the domain
controller OU level, will override any local security settings. You may want
to consider not changing Local Security Policy on a domain controller, but
instead create a new group policy for the domain controller OU and make your
changes to that new GPO. Put the new GPO above the Default Domain Controller
Policy so that it will take precedence. You can do individual changes to the
new GPO security settings or import a template. Then if you have problems,
you can just delete or unlink the new GPO and your previous settings will be
back in a short period of time. You can of course still use Security
Configuration and Analysis tool to view what your security settings are
compared to a particular template. Beware that implementing the
hisecuredc.inf template can cause a lot of issues, especially if there are
downlevel NT4.0, W9X, and even XP computers in the domain. I highly
recommend reading the free and recent Windows 2000 Security Hardening Guide
[search Google - link is long] before doing any changes. it includes
specific recommendations on security settings for various domain
environments and security goals. --- Steve

"Bob Williamson" <Bwilliamson@Eisenhowerlaw.com> wrote in message
news:eJbChxqODHA.3700@tk2msftngp13.phx.gbl...
> I am preparing to use the Security config and analysis tool on my network
> and am concerned of messing things up......thus the following:
>
> 1. Is there a way to "backup" my current configuration in case things go
> south on me? I would hate to apply the templates to find out I really
> messed things up. I understand that there is a "Setup Security" template,
> but that does not fit my current config...obviously I am missing something
> here as it can not be this hard.
>
> 2. When applying the template to a DC will these changes affect the
changes
> that I have already made in my GPO? I believe it will.....
>
> Any other suggestion or tips would be appreciated,
> Bob
>
>

Relevant Pages

  • Re: security template file import
    ... one of the more "well documented" features of the GPO based security policy. ... modify the security template - ...
    (microsoft.public.win2000.security)
  • Re: Spamnet add-in to Outlook
    ... If you're modifying the security settings item (you should never be ... Outlook may not save the change to the member list. ... I agree that setting up the Outlook Security Template and not ...
    (microsoft.public.outlook.program_addins)
  • Re: security template file import
    ... gpttmpl.inf in the secedit folder of the GPO file system folder ... > in here is a single file - GPTTMPL.INF that lists the securtiy settings ... > as i can see is a copy of an imported security settings file) - is this ... >> template outside of the GPO which you edit to contain all the security ...
    (microsoft.public.win2000.security)
  • Re: How to use this Code
    ... Is there any way I can run a restore while for windows xp from windows 2003. ... | Note After security settings are applied, ... | template to be applied. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: security template file import
    ... one final and very specific issue on security / GPO. ... the observed behaviour when using an imported security template is that we ... When policy propagated it would just ...
    (microsoft.public.win2000.security)