Local security settings - secedit

[ravi]

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi

 

[Steven L Umbach]

I don't believe you can export the true local security settings of a domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the "effective"
settings for the computer's security policy . When you use the /mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve

 

[Glenn L]

If the workstation has never had any changes made to the local, then you can
simply view C:\WINDOWS\security\templates\setup security.inf
This is the out of the box security template applied to all XP workstations.


--
Glenn L

CCNA, MCSE (2000,2003) + Security

I don't believe you can export the true local security settings of a domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the "effective"
settings for the computer's security policy . When you use the
/mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi

 

[Steven L Umbach]

That is a big if which is what I think he is trying to determine. --- Steve

If the workstation has never had any changes made to the local, then you
can simply view C:\WINDOWS\security\templates\setup security.inf
This is the out of the box security template applied to all XP
workstations.


--
Glenn L

CCNA, MCSE (2000,2003) + Security

I don't believe you can export the true local security settings of a
domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the
"effective"
settings for the computer's security policy . When you use the
/mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy
possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi

 

[Ravi Reddy]

Thanks Steve,

Do you know where these local settings stored. If I take my 2003
server out of domain (moved to workgroup). I can see these settings in
local security settings MMC.

What is the use of secedit.sdb in 2003? I copied this to another
directory and ran a secedit /export on this db. The exported file is
empty. I am not sure any settings are stored in this DB in 2003. A
quick search through registry did not find anything either.

Ravi

I don't believe you can export the true local security settings of a domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the "effective"
settings for the computer's security policy . When you use the /mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi

 

[Steven L Umbach]

I don't know the exact mechanics of how it works in Windows 2003. You should
be able to move it to an OU with block inheritance enabled on the OU and
then see the "true" local policy I believe. That would be easier that
removing it from the domain. I suppose it really does not matter that much
as in a domain it is the effective policy that matters and you need to plan
your GPO's carefully to get the expected results. --- Steve

Thanks Steve,

Do you know where these local settings stored. If I take my 2003
server out of domain (moved to workgroup). I can see these settings in
local security settings MMC.

What is the use of secedit.sdb in 2003? I copied this to another
directory and ran a secedit /export on this db. The exported file is
empty. I am not sure any settings are stored in this DB in 2003. A
quick search through registry did not find anything either.

Ravi

I don't believe you can export the true local security settings of a
domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the
"effective"
settings for the computer's security policy . When you use the
/mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy
possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi