Re: security template file import
From: Graham Turner (gturner_at_ipcomputers.demon.co.uk)
Date: 09/21/03
- Previous message: Graham Turner: "Re: security template file import"
- In reply to: Graham Turner: "Re: security template file import"
- Next in thread: Nick Finco [MSFT]: "Re: security template file import"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Sep 2003 17:25:32 +0100
and as another issue on this, not sure if this requires patching and is
consistent with your observed behaviuor is the refresh of the legal caption
text even with "clear database before importing" enabled
i can edit the securtiy file used as source for this setting, import it into
the GPO successfully - i say this on account of viewing the contents of
gpttmpl.inf in the secedit folder of the GPO file system folder
however despite secedit /refreshpolicy machine /enforce et al it does not
get propogated to the client
is this the scenario you describe of a "tattooed" entry that needs to be
undefined then reapplied ??
ps sure there are better ways of spending Sunday pm !!
GT
"Graham Turner" <gturner@ipcomputers.demon.co.uk> wrote in message
news:##pbncFgDHA.620@TK2MSFTNGP11.phx.gbl...
> Nick ,thanks again for your help on this.
>
> i sort a little more comfortable going through the reimport of the
security
> settings with the "clear this database before impoting" checkbox enabled
>
> must confess that i am still not entirely comfortable with what is
actually
> going on here which is why i was seeking further documentation - this goes
> way beyonf the grouppolwp.asp that i have used as a reference to date.
>
> am starting to see the flow of data a bit - would you correct me if am way
> off target;
>
> when we create GPO obviously create a structure with a GUID under;
>
>
c:\winnt\sysvol\sysvol\mydomain\polices\GPOGUID\machine\microsoft\windowsNT\
> secedit
>
> in here is a single file - GPTTMPL.INF that lists the securtiy settings
(and
> as i can see is a copy of an imported security settings file) - is this
the
> "database" that gets cleared when we use the checkbox (or merged or not as
> the case may be !!)
>
> when the DC as a group policy client downloads the GPO it sticks the
> contents of this file into one of the GPT*.inf in
> c:\winnt\security\templates\policies\
>
> it is these files (or the most recent one ?) that are processed by
> seccli.dll to generate the resultant security policy (or running-config as
i
> would say in Cisco parlance !))
>
> still not too sure about secedit.sdb though ?
>
> hope i am getting this and thanks for your patience and help
>
> GT
>
>
>
> "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> news:umC2h8tfDHA.1700@TK2MSFTNGP10.phx.gbl...
> > > First up are you happy to keep this online ??
> >
> > I'd rather keep it in the newsgroup. Others can benefit. Plus, if it
> can't
> > be answered here or an update is necessary, you need to go through PSS
to
> > escalate the issue.
> >
> > > 1. modify the security template (notepad as text editor seems to
> > suffice) -
> > > we have found the security configuration editor "messes" up the format
> of
> > > the security template file
> >
> > And this "messing up" of security templates is the service setting
> > duplication that you mentioned earlier, correct? This occurs when you
> edit
> > via the UI or import via the UI, correct? I just did this myself here
on
> a
> > Win2k SP4 machine and saw the service duplication.
> >
> > > 2. edit the GPO, then import the modifed security template file (leave
> the
> > > clear database before importing unchecked).
> >
> > If you are going through the process you've described of having a
security
> > template outside of the GPO which you edit to contain all the security
> > settings for that GPO and reimport, you should check that box. You know
> > that everything in that template is what you want in the GPO so you
> > shouldn't do a template merge (by leaving the box unchecked). In
> addition,
> > this would remedy the duplicate service setting issue you are seeing
which
> I
> > also just verified.
> >
> > > the ideal way forward it seems is to effectively start again - but
given
> > > your response of "you have to change the value in the policy to match
> the
> > > original value" this seems not practically unacheivable ?
> >
> > You shouldn't have to start again. Just check your hand crafted
template
> to
> > make sure the issue doesn't show up there. Then reimport your template
> > while checking the box to "Clear this database before importing".
> >
> > If you don't want to check the checkbox or if you need the merge
> > functionality when importing templates, you'll need to contact PSS,
> escalate
> > the issue, and get a patch. I'll see about getting a bug filed for this
> > from my end as well.
> >
> > > ps - where is this documented ??!!
> >
> > Documentation on this is scattered in many whitepapers people have
written
> > over the years. Also, news group searches sometimes work well.
> > Unfortunately, I don't have pointers handy to these currently. :(
> >
> > N
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
>
>
- Previous message: Graham Turner: "Re: security template file import"
- In reply to: Graham Turner: "Re: security template file import"
- Next in thread: Nick Finco [MSFT]: "Re: security template file import"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
