security template file import

From: Graham Turner (gturner_at_ipcomputers.demon.co.uk)
Date: 09/15/03 

Date: Mon, 15 Sep 2003 10:11:54 +0100

this is a follow up to a previous post of mine titled "clear the database
before importing" which i closed on account of other issues but now it seems
down to the refresh of GPO values that are imported from a security template
file

we have used as a base line for the security of the domain controllers
security templates from Microsoft security operations guide

these have required modification to meet the site requirement

eg we have modified the startup value of the spooler service to a value
which is i think is the first value (changed from 4 to 2) after the service
name

the security template has been subsequenlty reimported following this change
but for some reason the value in the registry does not change

this suggests quite clearly that a previous value is "sticking" and contrary
to information in a previous post is not being overwritten as it should be

observed behaviour is that other registry values such as restrictanonymous
are being updated correctly

perhaps this is behaviour with refresh of service startup values ??

is this a known issue ??

would seem that the fix is to check the clear database before importing the
template file

this would be consistent with the listing of multiple entries for each value
from the security template file when you view the Domain Controller security
policy

wanted to understand the impact of this before doing so -

have established that this relates to secedit.sdb (presumably on the client
that processes the GPO ?)

i wanted to fully understand the client side processing of the securty
settings of a GPO - and by implication then the impact of the "clear
database before importing"

when we import the template does this somehow flag the GPO so that
scecli.dll on the client that processes the GPO removes all values from its
local secedit.sdb before processing the GPO ??

GT

Relevant Pages

  • Re: security template file import
    ... look to be direct copies of the security template - does one of these get ... security template into a GPO ?? ... presumably they are used in the generation of the GPO ... > Is the template you are importing specific for Win2k3? ...
    (microsoft.public.win2000.security)
  • Re: security template file import
    ... > the security template file ... template outside of the GPO which you edit to contain all the security ... settings for that GPO and reimport, ... while checking the box to "Clear this database before importing". ...
    (microsoft.public.win2000.security)
  • Re: Apply GPO to service startup but not permissions?
    ... The other possibility is to edit the security template offline. ... Edit the service settings withou editing the security settings and ... After that you can import it to your GPO. ...
    (microsoft.public.windows.group_policy)
  • Re: Setting policies
    ... Assuming you are running a Win2k domain: ... Create a GPO and apply it to the OU with the users in question. ... Compatws.inf security template into this GPO. ... This solution will give away less power than making users Power Users of ...
    (microsoft.public.win2000.security)
  • Re: SceCli error 1202, 0x57
    ... are too large for posting here. ... rights. ... >> New error today after importing a security template. ...
    (microsoft.public.windows.group_policy)