Re: Grpedit.msc from bootable cd

Sam Hobbs wrote:
"John John" <audetweld@xxxxxxxxxxx> wrote in message news:eMM8OYlOIHA.4912@xxxxxxxxxxxxxxxxxxxxxxx

Sam Hobbs wrote:


It probably depends on what is meant by "stored". I know that some Group Policies, probably most, are effective only when they are put into the registry. It is possible to affect the effectivity of a policy by changing only the registry. The confusion lprobably is that the policy editor edits data from a non-registry file that administrators are more familiar with than I. Any changes made by the policy editor will be ineffective unless they are put into the registry.

Does that sound like an explanation of what the "Microsoft tech article" meant?

No, Sam. The security settings are saved and applied elsewhere, I don't believe that you can restore the logon rights by registry modifications.



Sure, security settings exist elsewhere; somewhere in the NTFS which is not documented. Security settings are DACLs, ACEs, SIDs and other objects which are documented. The group policy that determines security settings does not exist in the NTFS.

It's not the same kind of security settings, Sam. I think you may have been right in your first post, maybe flags in the Security Accounts Manager (SAM) database decide if the policy applies or not. I don't know. As far as I know this is run by the Local Security Authority Subsystem Service (LSASS), but I'm just not sure where lsass obtains the instructions.

Security Subsystem Architecture
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_dozq.mspx?mfr=true

John
.

Relevant Pages

  • Re: Grpedit.msc from bootable cd
    ... It is possible to affect the effectivity of a policy by ... changing only the registry. ... security settings exist elsewhere; somewhere in the NTFS which is ...
    (microsoft.public.windowsxp.basics)
  • Re: Grpedit.msc from bootable cd
    ... It is possible to affect the effectivity of a policy by ... changing only the registry. ... security settings exist elsewhere; somewhere in the NTFS which is not ...
    (microsoft.public.windowsxp.basics)
  • Re: How do I add/edit a registry key using group policy?
    ... > you can create a GPO containing the key and send it down to all pcs on the ... > security settings and right click registry. ... i created a policy on my test domain on an ou, ... it said security settings had been received via this method - i take it ...
    (microsoft.public.win2000.group_policy)
  • What exactly is secedit.sdb
    ... it stores a copy of many security settings. ... settings are stored in the registry/filesystem. ... secedit.sdb refreshes the registry when "applying security ... [Kerberos Policy] ...
    (microsoft.public.win2000.security)
  • Re: What program is used to write events to the event log??????
    ... The intent of Safer is for it to be applied from AD in GPOs. ... that they are refteshed by the sce policy engine. ... > registry files is that while apparently the restrictions are aplied...you ... >>> issue....whenever there is an exe being started it normally writes this ...
    (microsoft.public.windowsxp.security_admin)