Re: security template file import

From: Graham Turner (gturner_at_ipcomputers.demon.co.uk)
Date: 09/21/03 

Date: Sun, 21 Sep 2003 16:44:41 +0100

Nick ,thanks again for your help on this.

i sort a little more comfortable going through the reimport of the security
settings with the "clear this database before impoting" checkbox enabled

must confess that i am still not entirely comfortable with what is actually
going on here which is why i was seeking further documentation - this goes
way beyonf the grouppolwp.asp that i have used as a reference to date.

am starting to see the flow of data a bit - would you correct me if am way
off target;

when we create GPO obviously create a structure with a GUID under;

c:\winnt\sysvol\sysvol\mydomain\polices\GPOGUID\machine\microsoft\windowsNT\
secedit

in here is a single file - GPTTMPL.INF that lists the securtiy settings (and
as i can see is a copy of an imported security settings file) - is this the
"database" that gets cleared when we use the checkbox (or merged or not as
the case may be !!)

when the DC as a group policy client downloads the GPO it sticks the
contents of this file into one of the GPT*.inf in
c:\winnt\security\templates\policies\

it is these files (or the most recent one ?) that are processed by
seccli.dll to generate the resultant security policy (or running-config as i
would say in Cisco parlance !))

still not too sure about secedit.sdb though ?

hope i am getting this and thanks for your patience and help

GT

"Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
news:umC2h8tfDHA.1700@TK2MSFTNGP10.phx.gbl...
> > First up are you happy to keep this online ??
>
> I'd rather keep it in the newsgroup. Others can benefit. Plus, if it
can't
> be answered here or an update is necessary, you need to go through PSS to
> escalate the issue.
>
> > 1. modify the security template (notepad as text editor seems to
> suffice) -
> > we have found the security configuration editor "messes" up the format
of
> > the security template file
>
> And this "messing up" of security templates is the service setting
> duplication that you mentioned earlier, correct? This occurs when you
edit
> via the UI or import via the UI, correct? I just did this myself here on
a
> Win2k SP4 machine and saw the service duplication.
>
> > 2. edit the GPO, then import the modifed security template file (leave
the
> > clear database before importing unchecked).
>
> If you are going through the process you've described of having a security
> template outside of the GPO which you edit to contain all the security
> settings for that GPO and reimport, you should check that box. You know
> that everything in that template is what you want in the GPO so you
> shouldn't do a template merge (by leaving the box unchecked). In
addition,
> this would remedy the duplicate service setting issue you are seeing which
I
> also just verified.
>
> > the ideal way forward it seems is to effectively start again - but given
> > your response of "you have to change the value in the policy to match
the
> > original value" this seems not practically unacheivable ?
>
> You shouldn't have to start again. Just check your hand crafted template
to
> make sure the issue doesn't show up there. Then reimport your template
> while checking the box to "Clear this database before importing".
>
> If you don't want to check the checkbox or if you need the merge
> functionality when importing templates, you'll need to contact PSS,
escalate
> the issue, and get a patch. I'll see about getting a bug filed for this
> from my end as well.
>
> > ps - where is this documented ??!!
>
> Documentation on this is scattered in many whitepapers people have written
> over the years. Also, news group searches sometimes work well.
> Unfortunately, I don't have pointers handy to these currently. :(
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>

Relevant Pages

  • Re: Problem with NT4 domain trusting W2003 domain
    ... | implemented the settings you suggested in the "default domain controller ... | GPO" and not in the local GPO, and verified with GPMC that they are ... |> suspect there are some settings in security options caused this problem, ...
    (microsoft.public.windows.server.migration)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: security template file import
    ... one of the more "well documented" features of the GPO based security policy. ... modify the security template - ...
    (microsoft.public.win2000.security)
  • Re: GPO security settings not applied
    ... Domain Security Policy to set this. ... you can indeed set a password policy at the OU - level! ... >> Domain - Default Domain GPO ... User settings in the IT GPO (ex. ...
    (microsoft.public.win2000.group_policy)