Re: security template file import

From: Graham Turner (gturner_at_ipcomputers.demon.co.uk)
Date: 09/28/03 

Date: Sun, 28 Sep 2003 12:12:48 +0100

Nick, one final and very specific issue on security / GPO.

the observed behaviour when using an imported security template is that we
are observing truncation in the legal caption text.

the admins are able to set it ok using a GPO linked to a workstations
container for all the desktops but for the DC's we are using an imported
security template.

are there any "known issues" in this respect. ??

GT

"Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
news:#3e78d4gDHA.696@TK2MSFTNGP09.phx.gbl...
> "Graham Turner" <gturner@ipcomputers.demon.co.uk> wrote in message
> news:%23Ay5DnpgDHA.2344@TK2MSFTNGP10.phx.gbl...
> > Nick, thanks for your time on this as I think i have pretty much got
there
> !
>
> Glad to hear it. :)
>
> > the issue with the non-production server i established was i think
> > attributable to a "runaway" folder on the DC - i was noticing 100's of
> *.inf
> > / *.dom files which was getting longer with every security policy
> refresh -
> > in c:\winnt\security\templates\policies
>
> If you don't have 100s of GPOs with security policy affecting this client
> that shouldn't happen. There should only be one template per GPO in that
> folder. There was an issue at one point where those files couldn't be
> deleted because of a virus scanner. When policy propagated it would just
> keep incrementing the number and adding to the number of files there.
>
> > QU - given that as a general note the GPO editors are at best clumsy ( i
> > know this is improved by GPMC) but is manual edit of the gpttmpl.inf in
> the
> > GPO folder structure a supported operation;
>
> It's not supported. Basically, what the UI can generate in a security
> template is supported. If you can generate it from the UI, feel free to
> type it into the template. Some settings are tricky to get right though
> when you are editing by hand. And as you pointed out the UI will
increment
> the version number for the GPO which is very important so clients know
that
> the policy changed and will update their settings sooner. By default,
they
> will force a propagation every 16 hours though so the settings will take
> effect eventually.
>
> > haven't yet worked out that the tmpgptfl.inf file plays on the client
side
> > c:\winnt\security\templates\polices plays - is this a temp file used in
> the
> > import of the values into secedit.sdb which presumably is the
> > "running-config" ?
>
> It's a temporary file used while copying the GPOs down to the client.
It's
> values aren't factored into the final merge of the security settings when
> they are applied to the system. secedit.sdb is basically a scratch pad in
> which to do the setting merge and a place to store local security policy
on
> Win2k.
>
> > duly noted on the priority of the GPO's and the naming of GPT*.inf
files -
> > how though does the scecli.dll know which one has the highest priority -
> it
> > would seem to need to be written as an attribute of the container to
which
> > they are linked ??
>
> The Group Policy infrastructure tells each extension the priority and
> location of each GPO when policy propagation is triggered. This is based
> upon what OU the policy is defined within and what the GPO priority is
> within that OU. When you use the UI, you can move GPOs up or down in the
> list. That changes them to a higher or lower priority respectively. As
for
> as OU priority, local policy always has the lowest priority, then domain
> level policy, and then drilling down through the OU structure to the
> computer's OU, each OU gets higher and higher in priority until the OU
that
> contains the computer has the highest priority. How was that for a
run-on?
> ;)
>
> > final point - THIS HAS BEEN A MOST HELPFUL INSTRUCTION FROM YOURSELF -
Ta
> > v.much ~!!!
>
> Yup, you're welcome. I'm glad that I could help you to better understand
> this process. :)
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>

Relevant Pages

  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy is now inhibiting the Administrator account
    ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question for Roger Abell
    ... may have been one about how to imprint the same local policy ... Notice that "local security ... I notice that my Local Security Policy contains Account Policies, ... The security template only contains Account Policies (which ...
    (microsoft.public.windows.group_policy)
  • Re: [fw-wiz] How to Secure Windows? was How to Save the World
    ... If you want a cheat sheet - or a template on which to baseline what ... visit the Center for Internet Security, ... Basically, using Active Directory and group policy object definition, ... If you want the 1000-word abstract versions, visit my Windows 2000 ...
    (Firewall-Wizards)