Hi, It will work fine . Now I have one more query Below group policy settings which is available in 20003 and not in 2000 server. If I apply these setting any will effect the windows 2000 server? Thanks and Regards, Ranjan 2003 Allow log on locally User Rights security settings are not registry keys 2003 Allow log on through Terminal Services User Rights security settings are not registry keys 2003 Deny log on through Terminal Services User Rights security settings are not registry keys 2003 Perform volume maintenance tasks User Rights security settings are not registry keys 2003 Accounts: Administrator account status Not a registry key 2003 Accounts: Guest account status Not a registry key 2003 Accounts: Limit local account use of blank passwords to console logon only MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse 2003 DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction 2003 DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction 2003 Devices: Allow undock without having to log on MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon 2003 Devices: Restrict CD-ROM access to locally logged-on user only MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms 2003 Domain controller: LDAP server signing requirements MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity 2003 Domain controller: Refuse machine account password changes MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange 2003 Domain member: Maximum machine account password age MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge 2003 Interactive logon: Require Domain Controller authentication to unlock workstation MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon 2003 Interactive logon: Require smart card MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption 2003 Network access: Allow anonymous SID/Name translation Not a registry key 2003 Network access: Do not allow anonymous enumeration of SAM accounts MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM 2003 Network access: Do not allow storage of credentials or .NET Passports for network authentication MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds 2003 Network access: Let Everyone permissions apply to anonymous users MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous 2003 Network access: Named Pipes that can be accessed anonymously MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes 2003 Network access: Remotely accessible registry paths MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine 2003 Network access: Remotely accessible registry paths MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine 2003 Network access: Remotely accessible registry paths and subpaths MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine 2003 Network access: Restrict anonymous access to Named Pipes and Shares MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares 2003 Network access: Shares that can be accessed anonymously MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares 2003 Network access: Sharing and security model for local accounts MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest 2003 Network security: Do not store LAN Manager hash value on next password change MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash 2003 Network security: Force logoff when logon hours expire Not a registry key 2003 Network security: LDAP client signing requirements MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity 2003 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec 2003 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec 2003 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy 2003 System Cryptography: Force strong key protection for user keys stored on the computer MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection 2003 System objects: Default owner for objects created by members of the Administrators group MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner 2003 System objects: Require case insensitivity for non-Windows subsystems MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive 2003 Full Policy Name Registry Settings 2003 System settings: Optional subsystems MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional 2003 System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled -----Original Message----- From: Ranjan Babu .G Sent: Mon 5/14/2007 12:48 PM To: gptalk@xxxxxxxxxxxxx Cc: Subject: GPMC console / Editing GP for 2000 SP4 server Hi, I have been Using GPMC sp1 on windows 2003 server to manage my GP. We modified SVRGL file to add MSS setting based on CIS recommendation and applied group policy working fine for all windows 2003 servers . Now my problem i want modify the GP setting for windows 2000 server SP4 in OU level And i need to add additional registry entry as per MSS for windows 2000 server. Which is best option to carry out for windows 2000 serever? I am planning to do it from windows 2000 server , first modify MSS setting in the SVRGRL INF file then i will modify /manage GP only for windows 2000 server from OU level. It should work .My concern if i do like this is any issues will arise . Does anyone have any ideas? Thanks and Regards, Ranjan