|
|
Focus on Microsoft
security policy 'not specified' option Oct 20 2005 08:56PM matthew patton (pattonme yahoo com) (4 replies) Re: security policy 'not specified' option Oct 21 2005 01:58AM Thor (Hammer of God) (thor hammerofgod com) RE: security policy 'not specified' option Oct 20 2005 10:31PM Laura A. Robinson (larobins bellatlantic net) RE: security policy 'not specified' option Oct 20 2005 10:00PM Tony King (agkcomputers btinternet com) |
|
Privacy Statement |
> From: matthew patton [mailto:pattonme (at) yahoo (dot) com [email concealed]]
> Sent: Friday, October 21, 2005 12:57 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: security policy 'not specified' option
>
> Some time back I used a security policy editor that had 3 options:
> enabled, disabled, and 'unset'. By not setting it either way, the
> machine inherited the domain settings.
Actually, group policy precedence works opposite way. The principle called
LSDOU which stands for "Local > Site > Domain-wide > OU" [1]. Domain
policies have higher priority since they are applied later. So if particular
policy is defined on any of domain levels it will take precedence over local
policy. On that note, you don't _have_ to configure local policies on domain
computers since you could always use domain policies which are much easier
to manage.
> Unfortunately the standard
> system policy editors shipped with 2K/2K3/XP don't appear to have that
> 3rd option which means now I've got all kinds of machine running with
> who knows what setting and ignoring the domain policy. And once you've
> selected en/disabled via the radio box, there isn't a way to unset it.
> How do I dig myself out of this?
For this you can use Security Templates MMC snap-in to create a policy
template (inf file). You can also export current policy using secedit.exe
command line tool. Then distribute it to your client computers. You can:
- import template using secpol.msc MMC snap-in
- apply template using Security Configuration and Analysis snap-in
- apply template using secedit.exe
For more information on this please refer to built-in Windows help [2].
References (watch for line wraps):
[1] "Windows 2000 Security Policies Overview"
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/
win2
kpol/w2kadm02.mspx
[2]"Automating security configuration tasks"
Start > Run > hh.exe
ms-its:%windr%\Help\secedit.chm::/sag_SECedittopnode.htm
--
Al
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]