Re: question on setting security

"Special Access" <nonyabidnezz@xxxxxxxxxxx> wrote in message
news:452al25lcad7ubumvdgdkqa5etusi9fv5a@xxxxxxxxxx
On Fri, 10 Nov 2006 10:03:12 -0700, "Roger Abell [MVP]"
<mvpNoSpam@xxxxxxx> wrote:

When you merge settings by importing multiple templates into
a sdb in merge mode, they are merged, but not as you expect.
Each policy setting is handled all-or-none, that is, the last
loaded template that specifies a particular setting specifies
the complete, total and exclusive, value for that setting.
In your scenario, the last-loaded IIS template needs to state
both ASPNET and Guests for the Deny local logon settings.

"Special Access" <nonyabidnezz@xxxxxxxxxxx> wrote in message
news:udr7l2dc41nd2101op970qpkf3fugkjna3@xxxxxxxxxx
I have a server that I secured using an INF template we created. Now
they installed IIS and changes were made to the settings. We have a
template that documents the changes in the security settings (iusr,
iwam, iis_wpg and aspnet were added to several user rights) and want
to import that into the original SDB.

Problem is when we import and configure using the second template,
some of the settings are completely over written by it rather than
augmented by it. For example, deny local logon is set to GUESTS by
the original template. When we add IIS, ASPNET is added to this
right. However after we configure the computer with the new template
only ASPNET is listed.

We are using secedit in a script to do this. First we configure with
our security template to create the SDB file, then we configure with
the IIS template.

Obviously I'm doing something wrong here. I would expect the end
result to be a combination of the two templates but any place the
second template makes changes I'm only seeing those changes.

Help?!

Mike


That's what I thought... figures, now I have to re-write the VBS that
generates the IIS.INF file to include any settings already set by the
original template.

Thanks for the info. I appreciate the help.

As an afterthought, I once wrote a script to compare templates,
that I still use, and it was not too hard. You could probably
write one that did a quick merge of two templates, or at least
a rewrite of the second to make sure any conflicting values
were merged in, and then use it as a post-processing step to
your existing script.

Roger


.

Relevant Pages

  • Re: SECEDIT MMC and security templates
    ... sdb can be used to reapply those settings that were ... >>database while it compiles what is to be applied. ... >>> of the settings stick when doing that. ... >>>>by using the template, not the sdb. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Mail merge with graphics direct to PDF
    ... Word MVP web site http://word.mvps.org ... filename and opens each file regardless of the settings. ... The add-in will make use of the template that was used to create ... of the separate documents as a .pdf file. ...
    (microsoft.public.word.mailmerge.fields)
  • Re: Defining the top and bottom measurement of an inserted image.
    ... For another template however, it is not a strange idea to set the wrapformat ... Name the macro InsertPicture will override the default Word command. ... One of the layout consistencies we have is for most pictures to ... settings are reset to before the template was opened. ...
    (microsoft.public.word.vba.general)
  • How to export .adm settings .inf style?
    ... We would like to provide our customers with an .inf template that they can ... System.adm settings that end up in Registry.pol are quite different. ... that the domain controller policies lock down the system as much as possible ...
    (microsoft.public.windows.group_policy)
  • Re: question on setting security
    ... a sdb in merge mode, they are merged, but not as you expect. ... the last-loaded IIS template needs to state ... both ASPNET and Guests for the Deny local logon settings. ... the original template. ...
    (microsoft.public.windows.server.security)