Backing Up Local Policy Settings

[Scott Moyer]

Would like to know if there's a way to backup/export Local Security Policy
Settings, preferrably into INF Template format. Have been experimenting
with Security Config/Analysis and SECEDIT which only allow you to build a
fresh template and then export. I want to backup/export current settings
before I make any changes. I've also heard about the SECEDIT.SDB file but
not sure if it would help this scenario.

Secondly, do the Local Policy settings have corresponding registry entries?

Any help is greatly appreciated,
Scott Moyer
(e-mail address removed)

 

[Steven L Umbach]

Open up Local Security Policy. Expand either account or local policies. Then go to
security settings/right click/export and you will be able to export Local Security
Policy though it will not include services, restricted groups, file and registry
permissions. It still is smart to document changes and use a test machine to try out
security configuration changes. See the link below on how to use secedit to change
security settings back to default "defined" levels. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

 

[Scott Moyer]

Steve, I only saw the "import template" when I right-clicked. Did I miss
something?

Scott

 

[Steven L Umbach]

You should see export for Local Security Policy only [not domain or domain
controller]. In my experience the export option is visible but not not enabled until
I expand either account or local policies first. It should appear then when you right
click "security settings". This is only available on W2K - not XP Pro or W2003 if you
are using that operating system. --- Steve

 

[Scott Moyer]

I guess I'm in the wrong newsgroup then because I'm running XP Pro.

Thanks,
Scott

You should see export for Local Security Policy only [not domain or domain
controller]. In my experience the export option is visible but not not enabled until
I expand either account or local policies first. It should appear then when you right
click "security settings". This is only available on W2K - not XP Pro or W2003 if you
are using that operating system. --- Steve

Steve, I only saw the "import template" when I right-clicked. Did I miss
something?

Scott


policies.
Then go to Local
Security and
registry machine
to try out secedit
to change build
a file
but

 

[Steven L Umbach]

You still have some options. Secedit does have an export command, but it does not
seem to do any good on a non domain machine as far as I or others can tell. What you
can do is use secedit with the generaterollback option to create a rollback template
for a particular template you wish to apply. Otherwise you can use the Security
Configuration and Analysis tool to manually create your own base custom template. A
fairly easy way might be to run an analysis against the setup security.inf template.
Then review the results and manually change the database settings in the first column
to match what is shown in the computer setting column. When done you could hit save
and then export to create your custom base template. Of course the setup security.inf
template also has file/registry and services defined so if that is a problem you may
want to start with a different template to do the analysis against OR if you look at
the security templates you can copy and paste to another or blank template. You have
the copy and paste option on each of the seven categories of a security template -
account policies, local policies, event log, etc. --- Steve

I guess I'm in the wrong newsgroup then because I'm running XP Pro.

Thanks,
Scott

You should see export for Local Security Policy only [not domain or domain
controller]. In my experience the export option is visible but not not enabled until
I expand either account or local policies first. It should appear then when you right
click "security settings". This is only available on W2K - not XP Pro or W2003 if you
are using that operating system. --- Steve

Steve, I only saw the "import template" when I right-clicked. Did I miss
something?

Scott


Open up Local Security Policy. Expand either account or local policies.
Then go to
security settings/right click/export and you will be able to export Local
Security
Policy though it will not include services, restricted groups, file and
registry
permissions. It still is smart to document changes and use a test machine
to try out
security configuration changes. See the link below on how to use secedit
to change
security settings back to default "defined" levels. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

Would like to know if there's a way to backup/export Local Security
Policy
Settings, preferrably into INF Template format. Have been experimenting
with Security Config/Analysis and SECEDIT which only allow you to build
a
fresh template and then export. I want to backup/export current
settings
before I make any changes. I've also heard about the SECEDIT.SDB file
but
not sure if it would help this scenario.

Secondly, do the Local Policy settings have corresponding registry
entries?

Any help is greatly appreciated,
Scott Moyer
(e-mail address removed)

 

[Scott Moyer]

Thanks Steve, that gave me something to look at.

Scott

You still have some options. Secedit does have an export command, but it does not
seem to do any good on a non domain machine as far as I or others can tell. What you
can do is use secedit with the generaterollback option to create a rollback template
for a particular template you wish to apply. Otherwise you can use the Security
Configuration and Analysis tool to manually create your own base custom template. A
fairly easy way might be to run an analysis against the setup security.inf template.
Then review the results and manually change the database settings in the first column
to match what is shown in the computer setting column. When done you could hit save
and then export to create your custom base template. Of course the setup security.inf
template also has file/registry and services defined so if that is a problem you may
want to start with a different template to do the analysis against OR if you look at
the security templates you can copy and paste to another or blank template. You have
the copy and paste option on each of the seven categories of a security template -
account policies, local policies, event log, etc. --- Steve

I guess I'm in the wrong newsgroup then because I'm running XP Pro.

Thanks,
Scott

You should see export for Local Security Policy only [not domain or domain
controller]. In my experience the export option is visible but not not enabled until
I expand either account or local policies first. It should appear then when you right
click "security settings". This is only available on W2K - not XP Pro

or
W2003 if you

are using that operating system. --- Steve


Steve, I only saw the "import template" when I right-clicked. Did I miss
something?

Scott


Open up Local Security Policy. Expand either account or local policies.
Then go to
security settings/right click/export and you will be able to

export
Local

Security
Policy though it will not include services, restricted groups,

file
and

registry
permissions. It still is smart to document changes and use a test machine
to try out
security configuration changes. See the link below on how to use secedit
to change
security settings back to default "defined" levels. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

Would like to know if there's a way to backup/export Local Security
Policy
Settings, preferrably into INF Template format. Have been experimenting
with Security Config/Analysis and SECEDIT which only allow you

to
build

a
fresh template and then export. I want to backup/export current
settings
before I make any changes. I've also heard about the

SECEDIT.SDB
file

but
not sure if it would help this scenario.

Secondly, do the Local Policy settings have corresponding registry
entries?

Any help is greatly appreciated,
Scott Moyer
(e-mail address removed)