import security settings into a GPO

[Graham Turner]

this is a follow up to a previous post of mine titled "clear the database
before importing" which i closed on account of other issues but now it seems
down to the refresh of GPO values that are imported from a security template
file

we have used as a base line for the security of the domain controllers
security templates from Microsoft security operations guide

these have required modification to meet the site requirement

eg we have modified the startup value of the spooler service to a value
which is i think is the first value (changed from 4 to 2) after the service
name

the security template has been subsequenlty reimported following this change
but for some reason the value in the registry does not change

this suggests quite clearly that a previous value is "sticking" and contrary
to information in a previous post is not being overwritten as it should be

observed behaviour is that other registry values such as restrictanonymous
are being updated correctly

perhaps this is behaviour with refresh of service startup values ??

is this a known issue ??

would seem that the fix is to check the clear database before importing the
template file

wanted to understand the impact of this before doing so -

what database does this actually refer to ?

is it the GPO itself, and if so does it clear all values in the GPO or does
it read the template and only remove those in the template file ??

GT

 

[Tim Springston \(MSFT\)]

Hi Graham-

The security database it is referring to is the
%systemroot%\security\secedit.sdb. The SceCli (security client side
processing engine)uses this to compile and process security settings
received from group policy.

The end result of the particular processing you are tracking is that a
change is made to registry values for the startup types of services.

Are you seeing the service startup types not appear (even in the registry)?

This should be that location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002

If you are not seeing that value appear there as it should, I would verify
that there is no other group policy that is defining that value processing
against that machine. The tool for that is to gather a GPRESULT /V. The
setting amy not appear, but it will at least show you all policies
processing in that user and machine context so that you can look at them
each to see if the potential conflicting setting is set in them or not.

Please repost if we can help.

 

[Tim Springston \(MSFT\)]

Hi Graham-

I believe that when they refer to 'clearing the database' they are saying to
remove the current secedit.sdb and associated log files. They would be
recreated automatically.

There are temp/working files the settings are put in by the security client
side engine at %systemroot%\security\templates\policies.

That's not really where I'd suggest looking for general 'did my settings get
processed' questions. The obvious thing is to see if the setting is doing
what is should.

To look at security client side logging in detail to verify the setting is
being processed you would want to enable WINLOGON logging. Here's an
article on how to do that:

245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Tim, thanks for the post reply.

i attach the relevant section of the script - not sure if this is totally
required.

are you able to elaborate on the process of import of settings into the
secedit.sdb ??

we do see the service startup in the registry - this is set to 4 (a value
set by a previous security import file)

we even go the length of setting it manually on the local machine to 2
(auto) waiting for the GPO to refresh - and lo and behold it goes back to 4
so it is obviously learning it back from the GPO ?)

i infer the GPO itself is kapout -

** it seems i need to troubleshoot the import of the template file into the
GPO ?

the GPO editor unfortunately does not let us view these security settings
relating to service configuration)

can you suggest ways of verfiying what value is maintained for this service
startup in the GPO ?

point taken on the use of GPRESULT /V - will check but i think this will
confirm as above that the GPO is processing a value of 4

on secedit.sdb - is this an intermedaite repository for the security
settings received from Group policy which are then imported into the
registry when the group policy is processed ?

if so what relevance does this "clear database before importing" have when
we edit the GPO - does it mark the GPO somehow so that it clears the
secedit.sdb before processing the securtiy settings in the GPO ??

OR - does the secedit.sdb come into play when we edit the Group policy
object ??

thanks for your help

GT

Hi Graham-

The security database it is referring to is the
%systemroot%\security\secedit.sdb. The SceCli (security client side
processing engine)uses this to compile and process security settings
received from group policy.

The end result of the particular processing you are tracking is that a
change is made to registry values for the startup types of services.

Are you seeing the service startup types not appear (even in the registry)?

This should be that location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002

If you are not seeing that value appear there as it should, I would verify
that there is no other group policy that is defining that value processing
against that machine. The tool for that is to gather a GPRESULT /V. The
setting amy not appear, but it will at least show you all policies
processing in that user and machine context so that you can look at them
each to see if the potential conflicting setting is set in them or not.

Please repost if we can help.

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

this is a follow up to a previous post of mine titled "clear the database
before importing" which i closed on account of other issues but now it seems
down to the refresh of GPO values that are imported from a security template
file

we have used as a base line for the security of the domain controllers
security templates from Microsoft security operations guide

these have required modification to meet the site requirement

eg we have modified the startup value of the spooler service to a value
which is i think is the first value (changed from 4 to 2) after the service
name

the security template has been subsequenlty reimported following this change
but for some reason the value in the registry does not change

this suggests quite clearly that a previous value is "sticking" and contrary
to information in a previous post is not being overwritten as it

should

be importing
the