Re: Local security policy on Windows server 2003 domain controller

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/12/04 

Date: Tue, 11 May 2004 22:21:19 -0400

Nope, not saying that. Anything defined higher up in the policy chain has
precedence over the local security policy. For domain controllers, you shouldn't
be setting anything on the local security policy as they have a special security
policy in the domain called default domain controllers security policy. That way
any new DCs spun up, will have that policy as well.

If you looked at a regular member server and saw something greyed out in the
local security policy, yes, it means it was defined up in a higher policy.

Looking at my default domain policy on a brand new K3 domain I just set up shows
nothing defined in Default Domain Policy | Security Settings | Local Policies
|User Rights Assignments

The specific right you were talking about though only came into existence in W2K
SP4 - it wouldn't be on a fresh built K3 environment, I am not sure what its
default value is. 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Peter Afonin wrote:
> Thank you, Joe.
> 
> So this means that the settings in the Local Security policy are disabled by
> default, correct?
> 
> This is a solution that I've got from Microsoft:
> 
> "The account starting SQL Server needs this right to be able to impersonate
> the accounts logging in. This setting was greyed out in the Local Security
> Policy which indicates it was set manually in another global security policy
> for the domain. We first checked the one for Domain Controllers, but finally
> found it under the Default Domain policy. This means someone had made the
> setting at the domain level which would affect all servers at reboot. When
> you upgraded the server and rebooted as part of the process, these settings
> would have taken affect at that time and caused SQL Server to cease
> functioning correctly. To resolve the problem we changed the Default Domain
> policy back to not configured, and made the settings locally. After SQL
> Server was restarted, users could connect successfully."
> 
> This is nonsence - nobody ever changed manually any settings. But they
> wanted me to do just that - to enable controls in the Local Security policy
> and use them, just opposite of what you're saying. Of cause they new that it
> was a domain controller.
> 
> So I'm confused.
> 
> Thank you,
> 
> Peter
> 
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:OiVclu4NEHA.556@tk2msftngp13.phx.gbl...
> 
>>You should never use local security policy on domain controllers, you
> 
> should use
> 
>>either the default domain policy (if it is something you want for the
> 
> entire
> 
>>domain or it is password type policy) or you should use default domain
>>controllers policy.
>>
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>Peter Afonin wrote:
>>
>>>Hello:
>>>
>>>I've recently upgraded our domain controller from Win2000 to Win2003.
>>>
>>>In Windows server 2003 when I go to the Local Security settings most of
>>>these settings I cannot modify - all buttons are greyed out.
>>>
>>>After contacting Microsoft I've got a cure for it - I had to perform the
>>>following steps:
>>>
>>>1. In the Active Directory, right-click domain name and go to
> 
> Properties;
> 
>>>2. Go to Group Policy tab, select Default Domain Policy and click Edit;
>>>3. Go to Computer Configuration, Windows Settings, Security Settings,
> 
> Local
> 
>>>Policies, User Rights Assignments.
>>>4. Double-click  the setting I need to access (in my case - "Impersonate
>>>Client after authentication") and uncheck the box "Define these policy
>>>settings". (I guess that alternatively I could just modify my settings
> 
> there
> 
>>>and forget about Local Security policy - not sure, though).
>>>
>>>I have only one question - is it a default behavior for Windows 2003
> 
> domain
> 
>>>controller, or something has been modified there? I have no other Win
> 
> 2003
> 
>>>domain controller to check it out.
>>>
>>>I would appreciate your help.
>>>
>>>Thank you,
>>>
> 
> 
>
Loading