Re: Viewing Local Security Policy on Windows 2003 Member Server?

Windows ships with a default security set up that is defined by regular security templates, typically found in c:\windows\inf. Those templates can be view using the Security Templates editor MMC snap-in and can show you what the default settings are prior to joining a domain. Once you've joined the domain, those original settings are not viewable through any interface.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Script Group Policy Settings with the GPExpert Scripting Toolkit for PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message news:xMCdnfSpSKbZPIjanZ2dnUVZ_hKdnZ2d@xxxxxxxxxxxxxxx
"Darren Mar-Elia" <dmanonymous@xxxxxxxxxxxxx> wrote in message news:uO3xHeHEIHA.536@xxxxxxxxxxxxxxxxxxxxxxx
That's correct. You will only see the effective security policy using gpedit.msc. I don't know of any tools that will show you the default security policy in the absence of a domain, while you're in the domain. My rough understanding of the way that works is that for member servers and workstations in the domain, their local LSA policy is temporarily surpressed by any domain policy they receive. There may be APIs that would query that "raw" policy directly but I haven't seen them. I think the best you can do is view one of the default security templates that are applied to windows when its installed, like setupsecurity.inf or defltwk.inf

I realize the Windows 2000 way of presenting the information was confusing to many, but in terms of ability to do research on the state of a machine, the Windows 2003 way looks like a step backwards.

Where is the file that stores the local machine policy prior to merging with group policy stored? That file cannot be opened directly by any utility that would show the policy in a GUI, resolving the SIDs?

--
Will


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message news:SYqdnRYNobOFHIjanZ2dnUVZ_vCknZ2d@xxxxxxxxxxxxxxx
"Alan" <alan@xxxxxxxxx> wrote in message news:uXJGfVGEIHA.1316@xxxxxxxxxxxxxxxxxxxxxxx
Can't you just add the Group Policy Object Editor through MMC and scope it to the local machine?

Maybe I am missing something?

Maybe I am doing this wrong, but I start MMC, Add-In Group Policy Object Editor, specify Local Machine, and Add. When I go to view the policies, they are NOT the local policies, but are the domain policies.

--
Will

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message news:UsqdnTDIGY-K7YjanZ2dnUVZ_s-pnZ2d@xxxxxxxxxxxxxxx
Is there an application that will show the current values stored in *local* security policy on a Windows 2003 member server. I know I can use rsop.msc to view *group* policy, but I don't want group policy of the domain as applied to the member server. I want to see what are the native security settings that would be in effect on the member server if it were not in the domain at all.

Windows 2000 secpol.msc used to show you both the local and effective settings. It looks like Microsoft removed that from Windows 2003. Is there any way to recover this local view short of removing the computer fromthe domain and rebooting?!



.

Relevant Pages

  • Group Policy Case Solved
    ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
    (microsoft.public.win2000.security)
  • Re: what is reset account?
    ... No I don't think that policy value was available in Windows 2000. ... I believe the policy was added in K3, but the reg value works in 2K as well as NT. ... windows 2000 server security options. ... deployed based on computer account. ...
    (microsoft.public.win2000.active_directory)
  • Re: Anonymous Enumeration of accounts and shares
    ... You can't lock down anonymous access any more than that for a Windows 2003 ... You might want to check Local Security Policy on your Windows 2003 ...
    (microsoft.public.windows.server.networking)
  • Re: Locked out of Computer - "Deny logon locally = Administrator"
    ... Windows 2000 on it. ... How do I access the NTFS security dialog? ... to use Local Security Policy utility to change that XP ...
    (microsoft.public.win2000.security)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)