How to export W2K Effective Policy Setting?

[Guest]

Hi All,
I am trying to export Resultant Set Of Policies, or RSOP, meaning
"effective policy" using the below Secedit command in a batch file,
%SystemRoot%\system32\secedit.exe /export /mergedpolicy /cfg dump.inf /areas
SECURITYPOLICY /quiet

I am getting the information from W2K3 and Xp but for W2K it appears to only
pick up the local policy setting. It is strange that when in Local Security
Settings and select Action and then Export List (this includes both policy
settings). Can someone here if you have any advice on how to pickup these
settings for Windows 2000 servers? Thanks in Advance.

Regards,
Murali.

 

[Steven L Umbach]

I am not sure if this will help but for Windows 2000 try specifying the
secedit.sdb [full path] in your secedit command. --- Steve

 

[Roger Abell]

Support for RSoP was introduced with XP and Windows 2003.
I was not aware the underlying support had been backported to
Windows 2000.

 

[Guest]

Thanks for that direction. I tried the below code and it is not working in
Windows 2000 but working for XP and 2003. Seem that RsOP is not supported for
Windows 2000. I still do not know what is the solution for Windows 2000.

strDomain = "."
Set objWMIService = GetObject _
("winmgmts:\\" & strDomain & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from
RSOP_SecuritySettingBoolean")


For Each objItem in colItems
Wscript.Echo "Category: " & objItem.KeyName
Wscript.Echo "Precedence: " & objItem.Setting
'Wscript.Echo "Failure: " & objItem.Failure
'Wscript.Echo "Success: " & objItem.Success
Wscript.Echo
Next


Set colItems = objWMIService.ExecQuery("Select * from
RSOP_SecuritySettingNumeric")


For Each objItem in colItems
Wscript.Echo "Category: " & objItem.KeyName
Wscript.Echo "Precedence: " & objItem.Setting
'Wscript.Echo "Failure: " & objItem.Failure
'Wscript.Echo "Success: " & objItem.Success
Wscript.Echo
Next

 

[Guest]

Hi thanks for your help. I tried the full path still the command does not
appear to pickup the effective settings. I have issued additional command
"Secedit /refreshpolicy machine_policy /enforce" But the the problem is, once
the refresh is done, the local policy setting is overlayed into the effective
setting!

I am not sure if this will help but for Windows 2000 try specifying the
secedit.sdb [full path] in your secedit command. --- Steve

Hi All,
I am trying to export Resultant Set Of Policies, or RSOP, meaning
"effective policy" using the below Secedit command in a batch file,
%SystemRoot%\system32\secedit.exe /export /mergedpolicy /cfg dump.inf
/areas
SECURITYPOLICY /quiet

I am getting the information from W2K3 and Xp but for W2K it appears to
only
pick up the local policy setting. It is strange that when in Local
Security
Settings and select Action and then Export List (this includes both policy
settings). Can someone here if you have any advice on how to pickup these
settings for Windows 2000 servers? Thanks in Advance.

Regards,
Murali.

 

[Steven L Umbach]

Hmm. Merged policy switch is shown as an option with Windows 2000 though I
have never tried it myself. The export effective settings in Local Security
Policy usually works but I don't think that will help with what you are
trying to do. --- Steve

Hi thanks for your help. I tried the full path still the command does not
appear to pickup the effective settings. I have issued additional command
"Secedit /refreshpolicy machine_policy /enforce" But the the problem is,
once
the refresh is done, the local policy setting is overlayed into the
effective
setting!

I am not sure if this will help but for Windows 2000 try specifying the
secedit.sdb [full path] in your secedit command. --- Steve

Hi All,
I am trying to export Resultant Set Of Policies, or RSOP, meaning
"effective policy" using the below Secedit command in a batch file,
%SystemRoot%\system32\secedit.exe /export /mergedpolicy /cfg dump.inf
/areas
SECURITYPOLICY /quiet

I am getting the information from W2K3 and Xp but for W2K it appears to
only
pick up the local policy setting. It is strange that when in Local
Security
Settings and select Action and then Export List (this includes both
policy
settings). Can someone here if you have any advice on how to pickup
these
settings for Windows 2000 servers? Thanks in Advance.

Regards,
Murali.

 

[Nick Finco [MSFT]]

Win2k doesn't support RSoP.

Remove the /mergedpolicy switch from your command line. With it you will
get the local policy table. Without it you will get the combined group
policy + local policy table. Don't use the /db parameter when you run this
either so it defaults to using secedit.sdb.

N

 

[Guest]

Hello Nick,
Thanks for your valuable suggestion. You are correct RSoP is not supported
in W2k. I tried the below even before I applied the switch mergedpolicy and
/db parameter not used,
%SystemRoot%\system32\secedit.exe /export /cfg dump.inf
I am only getting the local policy table and I am unable to the the combined
group policy + local policy table.
Example:
In window 2000 server, I set the password history setting for local to 5,
the effective setting was left at 6. Once the above command runs, the
results of the example is 5.
After that I tried another command,
%SystemRoot%\system32\secedit.exe /refreshpolicy machine_policy /enforce
%SystemRoot%\system32\secedit.exe /export /cfg dump.inf
I set the password history setting for local to 5, the effective setting was
left at 6. Once the script runs, the effective setting is changed to 5. The
results of the check for this example is 5. So still it does not appear to
pickup the effective settings. Any thought on this! I am not sure how this is
working in your server.

Thanks & Regards,
Murali.