Re: Local security settings - secedit
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/30/04
- Next message: Steven L Umbach: "Re: Windows Server 2003 Security Guide issue"
- Previous message: Steven L Umbach: "Re: Logon Error Msg: local security policy won't permit interactiv"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 19:40:25 GMT
I don't know the exact mechanics of how it works in Windows 2003. You should
be able to move it to an OU with block inheritance enabled on the OU and
then see the "true" local policy I believe. That would be easier that
removing it from the domain. I suppose it really does not matter that much
as in a domain it is the effective policy that matters and you need to plan
your GPO's carefully to get the expected results. --- Steve
"Ravi Reddy" <ravicreddy@gmail.com> wrote in message
news:660bc1b6.0411300833.7fdda03c@posting.google.com...
> Thanks Steve,
>
> Do you know where these local settings stored. If I take my 2003
> server out of domain (moved to workgroup). I can see these settings in
> local security settings MMC.
>
> What is the use of secedit.sdb in 2003? I copied this to another
> directory and ran a secedit /export on this db. The exported file is
> empty. I am not sure any settings are stored in this DB in 2003. A
> quick search through registry did not find anything either.
>
> Ravi
>
> "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
> news:<iObpd.95395$5K2.65332@attbi_s03>...
>> I don't believe you can export the true local security settings of a
>> domain
>> computer. I found results similar to yours. For Windows 2003 when you are
>> using the secedit /export command you really are exporting the
>> "effective"
>> settings for the computer's security policy . When you use the
>> /mergedpolicy
>> switch you are exporting those security settings that are defined at the
>> domain/OU level that are overriding the local settings. I suppose if you
>> want to find the true local settings [other than password policy
>> possibly]
>> you could create an OU with block inheritance enabled on it and move your
>> computer into it, refresh the Group Policy on the domain controller and
>> reboot the domain computer you want to analyze. --- Steve
>>
>>
>> "ravi" <ravicreddy@gmail.com> wrote in message
>> news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
>> > Hello,
>> >
>> > Local security settings - secedit
>> >
>> > I am trying to export local security settings using secedit on windows
>> > 2003.
>> >
>> > secedit /export /cfg local.inf /log local.log
>> > secedit /export / mergedpolicy /cfg merged.inf /log merged.log
>> >
>> > My understanding is the first call gives local settings even if the
>> > server is connected to domain and domain policy settings are
>> > overriding.
>> >
>> > Second command gives the merged polices from domain based GPOs. The
>> > number of settings are differenr in both cases, but the values always
>> > seems to be domain values.
>> >
>> > Example: If I have minimum password length set to 8 chars on local and
>> > 10 chars on domain, both the above commands gives 10 chars.
>> >
>> > I take the server out of domain (make it a stand alone server) then I
>> > get a value of 8 on both cases.
>> >
>> > Any one else see this behavior? How do I dump settings from local
>> > secedit.sdb?
>> >
>> > Thanks
>> >
>> > Ravi
>> >
- Next message: Steven L Umbach: "Re: Windows Server 2003 Security Guide issue"
- Previous message: Steven L Umbach: "Re: Logon Error Msg: local security policy won't permit interactiv"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
