Secedit and Domain Controller Security Policy

[hsd31]

My understanding is that secedit is for Local Machine Security Policy
only. Is there a tool similar to secedit for automating Domain
Controller Security Policy settings.

 

[Steven L Umbach]

You configure the appropriate domain/OU Group Policy. You can import
security templates and the settings will apply to the computers in the OU
[and possibly child OU's of the parent]. You can use existing security
templates or create your own from new or modifying an existing one from a
copy. Beware that some of the security templates that come with Windows 2003
are bad in that they disable critical services for domain controllers so
always review a security template before importing. The domain controller
container is really an OU though you don't usually see it called that. For
domain controllers I suggest that instead of modifying the default Domain
Controller Security Policy that you add a new Group Policy to the domain
controller OU and modify that GPO and place it at the top of the list of
GPO's linked to the container. That way you have a quick way to restore
default settings by unlinking the new GPO if things go wrong. --- Steve

 

[hsd31]

Thanks for the info Steven.

I'm actually working on a product for Win2K servers. If the product is
installed on a Win2K DC, then during installation I want to modify a
particular setting in the Domain Controller Security Policy. I was
investigating it there is any tool similar to secedit.exe or
gpupdate.exe that can be used to modify a particular setting in the
Domain Controller Security Policy for a Windows 2000 DC. Thanks.