Through the "normal" tools (not knowing what tool you used) the options
would be Enabled, Disabled, or "Not Defined" where applicable. If a setting
is not defined, that just means that the corresponding registry key does
not exist. If you go into your Local Security Policy and enable or disable
the policy element, the associated key is created with the appropriate data
value.

I would not recommend that you *not* play "registry magic" to get around
this behavior, as the results can be squirrelly. For instance, if you check
out a default "not defined" element like "Interactive Logon: Do not require
Ctrl+Alt+Del," you'll see that there is no "DisableCAD" registry value in
Winlogon (HKLM\Software\Microsoft\Windows NT\." But if you Disable it
(which is the same as not being defined, really) the registry key is
created. However, if you then go back and delete the key entirely, it does
not change it back to "not defined" in the Local Security Policy. And if
you decide to enable it, the key is not recreated. Not really cool if you
asked me. (If anyone else knows what's going on under the hood in that
scenario, how about let me know please.)

You're not really in a hole though, (referring to the "dig myself out") as
you just need to decide if you want the policy or not, and at what level. A
"not defined" policy is the same as setting the action as the reverse of the
policy setting logic. But you have to make sure you think about it-- I've
never really like the variation of logic Microsoft used with some of the
security settings, particularly on the double-negatives like "disabling" the
"Do not require..." particularly when the opposite logic in used in the
registry. But hey, that's the way it goes.

If you are worried about "not defined" domain policies leaving defined local
policies set, then define everything in the domain as appropriate. Settings
are applied in the following order: Local, Site, Domain, OU. And don't
worry about "No Override" as Local objects can't have that set... (Of
course, you'll have to worry about it for the others.)

It may be a PITA to set up at first, but then you'll be in a much better
position, as you'll never have to worry about "not defined" again.

hth
t

----- Original Message -----
From: "matthew patton" <pattonme (at) yahoo (dot) com [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, October 20, 2005 1:56 PM
Subject: security policy 'not specified' option

> Some time back I used a security policy editor that had 3 options:
> enabled, disabled, and 'unset'. By not setting it either way, the
> machine inherited the domain settings. Unfortunately the standard
> system policy editors shipped with 2K/2K3/XP don't appear to have that
> 3rd option which means now I've got all kinds of machine running with
> who knows what setting and ignoring the domain policy. And once you've
> selected en/disabled via the radio box, there isn't a way to unset it.
> How do I dig myself out of this?
>
> I probably can play Registry Magic and accomplish what I need but I
> could have sworn I had a tool that would let me do what I used to be
> able to do.
>
> any ideas?
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
---
>
>
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]