Re: security template file import

From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 09/25/03

• Next message: Bill Johnson: "File and Folder permissions"
• Previous message: rob: "SID"
• Maybe in reply to: Graham Turner: "security template file import"
• Next in thread: Graham Turner: "Re: security template file import"
• Reply: Graham Turner: "Re: security template file import"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 25 Sep 2003 10:07:10 -0700

"Graham Turner" <gturner@ipcomputers.demon.co.uk> wrote in message
news:%23Ay5DnpgDHA.2344@TK2MSFTNGP10.phx.gbl...
> Nick, thanks for your time on this as I think i have pretty much got there
!

Glad to hear it. :)

> the issue with the non-production server i established was i think
> attributable to a "runaway" folder on the DC - i was noticing 100's of
*.inf
> / *.dom files which was getting longer with every security policy
refresh -
> in c:\winnt\security\templates\policies

If you don't have 100s of GPOs with security policy affecting this client
that shouldn't happen. There should only be one template per GPO in that
folder. There was an issue at one point where those files couldn't be
deleted because of a virus scanner. When policy propagated it would just
keep incrementing the number and adding to the number of files there.

> QU - given that as a general note the GPO editors are at best clumsy ( i
> know this is improved by GPMC) but is manual edit of the gpttmpl.inf in
the
> GPO folder structure a supported operation;

It's not supported. Basically, what the UI can generate in a security
template is supported. If you can generate it from the UI, feel free to
type it into the template. Some settings are tricky to get right though
when you are editing by hand. And as you pointed out the UI will increment
the version number for the GPO which is very important so clients know that
the policy changed and will update their settings sooner. By default, they
will force a propagation every 16 hours though so the settings will take
effect eventually.

> haven't yet worked out that the tmpgptfl.inf file plays on the client side
> c:\winnt\security\templates\polices plays - is this a temp file used in
the
> import of the values into secedit.sdb which presumably is the
> "running-config" ?

It's a temporary file used while copying the GPOs down to the client. It's
values aren't factored into the final merge of the security settings when
they are applied to the system. secedit.sdb is basically a scratch pad in
which to do the setting merge and a place to store local security policy on
Win2k.

> duly noted on the priority of the GPO's and the naming of GPT*.inf files -
> how though does the scecli.dll know which one has the highest priority -
it
> would seem to need to be written as an attribute of the container to which
> they are linked ??

The Group Policy infrastructure tells each extension the priority and
location of each GPO when policy propagation is triggered. This is based
upon what OU the policy is defined within and what the GPO priority is
within that OU. When you use the UI, you can move GPOs up or down in the
list. That changes them to a higher or lower priority respectively. As for
as OU priority, local policy always has the lowest priority, then domain
level policy, and then drilling down through the OU structure to the
computer's OU, each OU gets higher and higher in priority until the OU that
contains the computer has the highest priority. How was that for a run-on?
;)

> final point - THIS HAS BEEN A MOST HELPFUL INSTRUCTION FROM YOURSELF - Ta
> v.much ~!!!

Yup, you're welcome. I'm glad that I could help you to better understand
this process. :)

N

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

---

• Next message: Bill Johnson: "File and Folder permissions"
• Previous message: rob: "SID"
• Maybe in reply to: Graham Turner: "security template file import"
• Next in thread: Graham Turner: "Re: security template file import"
• Reply: Graham Turner: "Re: security template file import"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: GPO Update Problem (SYSVOL access via UNC) ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ... (microsoft.public.win2000.group_policy) Re: GPO Update Problem (SYSVOL access via UNC) ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ... (microsoft.public.win2000.group_policy) Re: security template file import ... If you don't have 100s of GPOs with security policy affecting this client ... > GPO folder structure a supported operation; ... the policy changed and will update their settings sooner. ... > how though does the scecli.dll know which one has the highest priority - ... (microsoft.public.win2000.security) Re: GPO not picking up computer settings ... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ... (microsoft.public.windows.server.security) Re: Local GPO refreshes outside of refresh interval ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ... (microsoft.public.windows.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)