Re: Grpedit.msc from bootable cd

"John John" <audetweld@xxxxxxxxxxx> wrote in message
news:%23T7aMluOIHA.5860@xxxxxxxxxxxxxxxxxxxxxxx
Sam Hobbs wrote:
"John John" <audetweld@xxxxxxxxxxx> wrote in message
news:eMM8OYlOIHA.4912@xxxxxxxxxxxxxxxxxxxxxxx

Sam Hobbs wrote:


It probably depends on what is meant by "stored". I know that some Group
Policies, probably most, are effective only when they are put into the
registry. It is possible to affect the effectivity of a policy by
changing only the registry. The confusion lprobably is that the policy
editor edits data from a non-registry file that administrators are more
familiar with than I. Any changes made by the policy editor will be
ineffective unless they are put into the registry.

Does that sound like an explanation of what the "Microsoft tech article"
meant?

No, Sam. The security settings are saved and applied elsewhere, I don't
believe that you can restore the logon rights by registry modifications.



Sure, security settings exist elsewhere; somewhere in the NTFS which is
not documented. Security settings are DACLs, ACEs, SIDs and other objects
which are documented. The group policy that determines security settings
does not exist in the NTFS.

It's not the same kind of security settings, Sam. I think you may have
been right in your first post, maybe flags in the Security Accounts
Manager (SAM) database decide if the policy applies or not. I don't know.
As far as I know this is run by the Local Security Authority Subsystem
Service (LSASS), but I'm just not sure where lsass obtains the
instructions.

Security Subsystem Architecture
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_dozq.mspx?mfr=true

John


I am not sure either. So hopefully our comments are enough for the purposes
of this thread. I don't know much about the LSASS but I know it is worth
learning about.



.

Relevant Pages

  • Re: Grpedit.msc from bootable cd
    ... Sam Hobbs wrote: ... It is possible to affect the effectivity of a policy by changing only the registry. ... The security settings are saved and applied elsewhere, I don't believe that you can restore the logon rights by registry modifications. ...
    (microsoft.public.windowsxp.basics)
  • Re: Grpedit.msc from bootable cd
    ... It is possible to affect the effectivity of a policy by ... changing only the registry. ... security settings exist elsewhere; somewhere in the NTFS which is not ...
    (microsoft.public.windowsxp.basics)
  • Re: How do I add/edit a registry key using group policy?
    ... > you can create a GPO containing the key and send it down to all pcs on the ... > security settings and right click registry. ... i created a policy on my test domain on an ou, ... it said security settings had been received via this method - i take it ...
    (microsoft.public.win2000.group_policy)
  • What exactly is secedit.sdb
    ... it stores a copy of many security settings. ... settings are stored in the registry/filesystem. ... secedit.sdb refreshes the registry when "applying security ... [Kerberos Policy] ...
    (microsoft.public.win2000.security)
  • Re: What program is used to write events to the event log??????
    ... The intent of Safer is for it to be applied from AD in GPOs. ... that they are refteshed by the sce policy engine. ... > registry files is that while apparently the restrictions are aplied...you ... >>> issue....whenever there is an exe being started it normally writes this ...
    (microsoft.public.windowsxp.security_admin)