Local Security Policy Locked (or something?)

[Russ]

Folks,

I am dumb dumb dumb (or something close.)
I have had some problems with an XP Pro machine on my
network. I've got it up and running with accessibilty now.

My Local Security Policy icon on this machine has a
lockbox on it and yes, that means everything in it will
not allow me to change it.
I did issue (at a command prompt) that all Local Security
Policy settings be set to default settings. This command
worked but it did not remove the lock on the icon and I
cannot control settings (seemingly from a windows gui
interface). Can someone shed some light on how I can
recover? I am the administrator and I have tried to access
through domain as well as through a local (this machine
account). I appreciate your time.

 

[Roger Abell]

The icon of a padlock over a machine is the normal
icon for the Local Security Policy.

You need to tell us what does happen, not what does
not, when you try to use Local Security Policy.

You mentioned you are in a domain, in which case it
can be normal to not be able to alter settings of policies
that are being applied from the Active Directory level.

 

[russ]

Thank you for your time Roger,

I logon as a local user Administrator and open the Local
Security Policy. The Policies are all default (I reset
them to default under the Command/DOS prompt)thinking that
I could go into the policies one by one and make the
necessary tweaks to my specific situation (SOHO). I right-
click on properties for each item and I do not have the
option to change the options. They are greyed-out. They
are greyed-out from the server-side also (because I was
thinking that this was now domain security and I tried
group policy edit fromthe server.) Nope! Group policy is
different fromthe existing local so the server is not
doing it! I'm confused now. Appreciate any suggestion you
may have (other than a wipe and re-install <grin>)

r

 

[Roger Abell]

Well, as I am hearing you, when you are in the local security
policy you are seeing all of the policies greyed out, and not
changeable.

Do you recall what command you used with setup securty.inf
Was it a variation of
http://support.microsoft.com/?id=313222
with secsetup.inf from Windows\repair or was it with file
setup security.inf from Windows\Security\templates ?

When you are on a domain controller, policies may be set
at any of a number of locations so that they will apply onto
the XP client. On the client you can define a custom mmc
console to which you add the RSoP (resultant set of policy)
snapin (selecting current machine and user) and it will show
you from where the setting are arising if they come from GPOs
at the Active Directory level.

 

[Russ]

Hi Roger,

Yes, you are correct, I suspect either a corrupted file or
at one time I may have been booting the server ending up
with a GPO and booting with the local workstation and
getting a local SP.

The link you mention is the link I used to reset defaults
for the local workstation.

Update: I have performed a reconnection to the Domain.
(Just to be sure that I am connecting.) I can easily see
the rest of the network and files from the local
workstation (FYI, this workstation is running XP while the
other workstations are running 2000Pro and the server is
running 2003 server. AD is elevated to 2003 domain.

If I try to look at the workstation from the server or any
other workstation, I get this message:

Logon Failure: the user has not been granted the requested
logon type at this computer.

I receive an error message when trying to open local
policy.
I get the following message:
Failed to open IPsec policy storage (80070005) Access is
denied.

I then clicked OK. I get:

The group policy settings that apply to this machine could
not be determined. The error received when trying to
retrieve these settings from the local policy database %
windr%\security\database\secedit\secedit.sdb was: The
parameter is correct. All local security settings will be
displayed, but no indication will be given as to whether
or not a given security setting is defined in group policy.

The policy MMC opens and within each folder is:
Windows cannot read template info.

RSoP: Source GPO says Default Domain Policy

Roger, I guess I would like to be able to see the
Directories, Files and Folders from the server and the
other workstations. Diving into this, it may be a more
complex problem that you or I can resolve. I appreciate
any suggestion though and if you have any other
directions, I will certainly try them. Seems funny I can
see out onthe workstation, just can't see in (even though
it lists on the domain network site on explorer.)

r