Re: security template file import

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 09/18/03 

Date: Thu, 18 Sep 2003 12:04:48 -0700

"Graham Turner" <gturner@ipcomputers.demon.co.uk> wrote in message
news:%23z8vBtTfDHA.908@tk2msftngp13.phx.gbl...
> Nick, sorry for not getting back to you earlier on this one and thanks for
> your ongoing help in this.

No problem. :)

> 2. what are all these files in c:\winnt\security\templates\policies ???

These templates don't have anything to do with creating the GPOs or
importing templates into them. These templates are copied down from the
DC's sysvol whenever policy propagation occurs on the client. SCE then
merges the templates together and applies the merged settings onto the
client. On Win2k, looking at these can be a helpful way to see exactly what
settings are coming to a client from a DC.

One of these templates will have the issue you said you were seeing before,
where there is a duplicate service in the template. By the number in the
template filename, you can look at the "Make a local copy of XYZ" part of
winlogon.log, count down that many file copies, and you know the GUID of the
GPO where the template is coming from.

> have noticed that it "processes these GP templates *.inf" -

That message is displayed when SCE merges that template into the database.
"Make a local copy of XYZ" is displayed when the template is copied down to
the client (%windir%\security\templates\policies) from the GPO's store in
the sysvol. XYZ is the location of that particular template in the sysvol
on the DC.

> i thought winlogon.log logged the processing of the group policy object or
> are these entries merely some sort of pointer to the inf template that was
> imported into the GPO ?

Winlogon.log records what the security policy extension to the group policy
engine is doing. Userenv.log located in %windir%\Debug\UserMode (if logging
has been turned on) will describe what the group policy engine is doing
during policy propagations.

> you reference the GPO's current security template - is this one of these
> files in the above folder ?

No, those files are just copies of what's stored in the sysvol for that GPO.
The real templates for the GPO will be located in somewhere like
\\Domain.com\Sysvol\Domain.com\Policies\{GPO-GUID}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.

> this might be better answered by say a direct scenario based question
based
> on testing;
>
> 1. i create a new GPO linked to the Domain controllers container
>
> 2. import a security template file into the GPO
>
> 3. secedit /refresh etc .. demonstrates the values in the security
template
>
> 4. i then remove the link from the DC's container to the GPO
>
> 5. the imported values still remain - why ??

Ahhh, jackpot! I can see what you're doing now. Those values will 'tattoo'
onto the system. This was an issue in win2k. All security policy values
will remain on the clients even if you undefine them in policy. What you
have to do is change the value in the policy to match what the original
value was for the setting, let that propagate to the clients, and then
undefine it in the policy or unlink the GPO.

Basically, in Win2k the security extension doesn't store the original value
for the setting. When you subsequently undefine that setting from group
policy, security policy doesn't know or even have a built-in mechanism to
revert the values to their original values. This is fixed for most of the
security policy sections starting in WinXP. The only sections that still
tattoo are the file system and registry security sections.

N 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Relevant Pages

  • Re: security template file import
    ... one final and very specific issue on security / GPO. ... the observed behaviour when using an imported security template is that we ... When policy propagated it would just ...
    (microsoft.public.win2000.security)
  • Re: What Settings stick... GPOs and Security Template??
    ... I believe you are asking what settings will remain in the local policy ... if those settings have been applied by AD based GPO but this is ... template is just a static file that is not actively involved in the state ...
    (microsoft.public.windows.group_policy)
  • Re: security template file import
    ... one of the more "well documented" features of the GPO based security policy. ... modify the security template - ...
    (microsoft.public.win2000.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Office XP System Policy on Terminal server 2003
    ... * where to put the adm template file that you created: ... * how to create the GPO and link it to your Terminal Server: ... Link the GPO to the OU that contains your Terminal Server, ... 260370 - How to Apply Group Policy Objects to Terminal Services ...
    (microsoft.public.windows.terminal_services)