Re: Local security settings - secedit

From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: 11/25/04

  • Next message: Robert Paris: "Win 2k Security Questions" 
    Date: Thu, 25 Nov 2004 02:53:02 GMT

    I don't believe you can export the true local security settings of a domain
    computer. I found results similar to yours. For Windows 2003 when you are
    using the secedit /export command you really are exporting the "effective"
    settings for the computer's security policy . When you use the /mergedpolicy
    switch you are exporting those security settings that are defined at the
    domain/OU level that are overriding the local settings. I suppose if you
    want to find the true local settings [other than password policy possibly]
    you could create an OU with block inheritance enabled on it and move your
    computer into it, refresh the Group Policy on the domain controller and
    reboot the domain computer you want to analyze. --- Steve

    "ravi" <ravicreddy@gmail.com> wrote in message
    news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
    > Hello,
    >
    > Local security settings - secedit
    >
    > I am trying to export local security settings using secedit on windows
    > 2003.
    >
    > secedit /export /cfg local.inf /log local.log
    > secedit /export / mergedpolicy /cfg merged.inf /log merged.log
    >
    > My understanding is the first call gives local settings even if the
    > server is connected to domain and domain policy settings are
    > overriding.
    >
    > Second command gives the merged polices from domain based GPOs. The
    > number of settings are differenr in both cases, but the values always
    > seems to be domain values.
    >
    > Example: If I have minimum password length set to 8 chars on local and
    > 10 chars on domain, both the above commands gives 10 chars.
    >
    > I take the server out of domain (make it a stand alone server) then I
    > get a value of 8 on both cases.
    >
    > Any one else see this behavior? How do I dump settings from local
    > secedit.sdb?
    >
    > Thanks
    >
    > Ravi
    >

  • Next message: Robert Paris: "Win 2k Security Questions"

    Relevant Pages

    • Re: scripted logon
      ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
      (microsoft.public.windows.terminal_services)
    • Re: GPO vs. LGPO settings in Security Options
      ... the names of the settings have evolved with the operating system. ... Windows Platform Support Team ... > 'Security Options', these settings are do not come from an ADM-template ... > By starting Local Security Policy on an XP workstation, ...
      (microsoft.public.win2000.group_policy)
    • Group Policy Case Solved
      ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
      (microsoft.public.win2000.security)
    • Re: how can I stop user deleting important files
      ... Just tried this at home on an XP Pro PC (no Windows Server in the mix) ... In Server Manager, Advanced Management, Group Policy Management, Your ... Forest, Your Domain, Your Domain.local, Default Domain Policy (right click ... and select Edit), Computer Settings, Windows Settings, Security Settings, ...
      (microsoft.public.windows.server.sbs)
    • Re: XP SP2 GPOs missing???
      ... Windows Platform Support Team ... > This section is relevant to the "Windows Firewall: ... > exceptions (Computer Policy)" and "Windows Firewall: ... > settings from being modified on a Windows 2000-based client computer. ...
      (microsoft.public.windows.group_policy)