[gptalk] Re: local security policy & local group policy

  • From: "Dave Clapham" <daveclapham@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 16 Jan 2009 20:30:48 -0600

That is all I am after is the "configured" settings.  Don't need the others.
 
I believe I could be happy if I had a printout of the policy settings in 
"expanded view", then I would have paper copy showing me what I should set 
under computer and under user.  If I am working on several different machines 
with in a few days, I probably can remember them, but if its been a week or two 
or more, then... I may not.
 
How do I "throw it all into a spreadsheet"??

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Cruz, Jerome L
Sent: Fri 1/16/2009 8:06 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy



The problem is that the RSoP.msc and GPMC reports only display 'configured' 
settings delivered from GPOs, not all the settings that exist. [Even the 
Security Config and Analysis Snap-in is limited in this manner.]

 

That said, there is a local "security settings dump utility" called Secedit. 

 

For Windows Server 2003, you can use the following command line in a CMD prompt 
to dump the info:

secedit /export /cfg secdump.inf

 

Also, you should review KB article: http://support.microsoft.com/kb/914041 

 

One of the issues is that the data exported is in INF template format. This 
means you have to know what each setting actually is. Some are obvious, some 
less so, and some 'really' hard to match up. I'm positive that there are other 
utilities to get the data, but I haven't needed anything else...at least not 
yet!

 

hmmm.. XX days until you have to change your password, okay, that's pretty 
easy...

MaximumPasswordAge = XX

...

Ummm... Digital Signing required? Server or client?

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0

...

What? Some User Right's Assignment setting, but SID lookup as well, geez...

SeCreateGlobalPrivilege = *S-1-5-32-XXX,*S-1-5-XXX

 

You can do quite a bit of matching by having the Local Security Policies 
console open, but it's hard to get "all" the values matched up. Of course, once 
you do have all the matches, then you can dump any number of machines and throw 
it all into a spreadsheet. Also, many times, I only need a few settings, so 
just work on those you really need since the Secedit utility will allow you to 
dump specific sections.

 

Jerry Cruz | Group Policies Product Manager | Windows Infrastructure 
Architecture | Boeing IT

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Friday, January 16, 2009 12:26 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy

 

No, sadly it won't. I don't recall if RSOP.MSC has any kind of export 
capability but you might try that.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Dave Clapham
Sent: Friday, January 16, 2009 12:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy

 

Will it still do that for those computers that aren't part of the domain?

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Nelson, Jamie
Sent: Friday, January 16, 2009 1:51 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy

 

Sounds like you want the GP Results Wizard in GPMC. It can run a RSoP against a 
remote system and give you a nice HTML report which you can print and/or save.

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy 
Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com 
<http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Dave Clapham
Sent: Friday, January 16, 2009 1:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy

 

I tried the gpresult /z >gp.txt but it didn't give the me desired results.  Its 
close but doesn't drill down deep enough to tell me the policy name, etc..

 

So does anyone make something that will tell me what policies have been set?  I 
would prefer a free solution but that doesn't look very promising.  So how 
about payware??

 

Dave 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Thursday, January 15, 2009 9:36 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: local security policy & local group policy

 

Daniel-

If you are talking about the Local Security Policy shortcut that you see in 
Administrative Tools, then that is simply an MMC snap-in tool focused on the 
security portion of the local GPO. So you are essentially looking at a subset 
of the Local GPO. That being said, security policy on the local GPO is made 
against the live system, instead of being stored in settings files like it is 
for other local GPO settings. That makes it somewhat special and often 
troublesome to manage.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of daniel
Sent: Thursday, January 15, 2009 7:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] local security policy & local group policy

 

hi all,

 

simple question.

 

what is the difference between the local security policy and the local group 
policy?

 

daniel.

________________________________

Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: