Re: security template file import

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 09/19/03 

Date: Fri, 19 Sep 2003 11:52:08 -0700

> First up are you happy to keep this online ??

I'd rather keep it in the newsgroup. Others can benefit. Plus, if it can't
be answered here or an update is necessary, you need to go through PSS to
escalate the issue.

> 1. modify the security template (notepad as text editor seems to
suffice) -
> we have found the security configuration editor "messes" up the format of
> the security template file

And this "messing up" of security templates is the service setting
duplication that you mentioned earlier, correct? This occurs when you edit
via the UI or import via the UI, correct? I just did this myself here on a
Win2k SP4 machine and saw the service duplication.

> 2. edit the GPO, then import the modifed security template file (leave the
> clear database before importing unchecked).

If you are going through the process you've described of having a security
template outside of the GPO which you edit to contain all the security
settings for that GPO and reimport, you should check that box. You know
that everything in that template is what you want in the GPO so you
shouldn't do a template merge (by leaving the box unchecked). In addition,
this would remedy the duplicate service setting issue you are seeing which I
also just verified.

> the ideal way forward it seems is to effectively start again - but given
> your response of "you have to change the value in the policy to match the
> original value" this seems not practically unacheivable ?

You shouldn't have to start again. Just check your hand crafted template to
make sure the issue doesn't show up there. Then reimport your template
while checking the box to "Clear this database before importing".

If you don't want to check the checkbox or if you need the merge
functionality when importing templates, you'll need to contact PSS, escalate
the issue, and get a patch. I'll see about getting a bug filed for this
from my end as well.

> ps - where is this documented ??!!

Documentation on this is scattered in many whitepapers people have written
over the years. Also, news group searches sometimes work well.
Unfortunately, I don't have pointers handy to these currently. :(

N 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Relevant Pages

  • Re: SceCli error 1202, 0x57
    ... There is probably a formatting issue with the template that you imported. ... > New error today after importing a security template. ...
    (microsoft.public.windows.group_policy)
  • Re: security template file import
    ... look to be direct copies of the security template - does one of these get ... security template into a GPO ?? ... presumably they are used in the generation of the GPO ... > Is the template you are importing specific for Win2k3? ...
    (microsoft.public.win2000.security)
  • Re: security template file import
    ... Is the template you are importing specific for Win2k3? ... additions to security template settings which are slowly being back ported ... Does the security template in that GPO's sysvol store have any duplicate ...
    (microsoft.public.win2000.security)
  • Re: Enterprise file auditing
    ... In that same template I also enabled GPO Computer ... First - Use auditing to monitor the modification and deletion of files on ... Cacls only does DACLs, not SACLs. ... In a GPO or security template there is a Filesystem section. ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise file auditing
    ... then you probably need to examine the DACL on that file. ... In that same template I also enabled GPO Computer ... First - Use auditing to monitor the modification and deletion of files ... In a GPO or security template there is a Filesystem section. ...
    (microsoft.public.windows.server.security)