Security Option Settings Are Not Shown in Gpedit.msc After You Apply a Security Template with Secedit.exe on a Standalone Server

Symptoms

If you apply a security template by using the secedit /configure command and you then start the Local Group Policy snap-in or you run Gpedit.msc to view the new settings, the old configuration settings may still appear. The Local Group Policy snap-in may not show the new settings from the applied template although the registry keys exist and the policy is working.

This behavior occurs if the secedit /configure command contains settings for the Computer Configuration\Windows Settings\Security Settings\Security Options node (such as Message text for users attempting to log on). Running the secedit /refreshpolicy machine_policy /enforce command does not resolve this behavior. Therefore, you cannot see the actual current settings on the server by using the Local Group Policy snap-in.

This behavior occurs on a Windows 2000-basd server that is part of a Microsoft Windows NT 4.0-based domain, or on a standalone Windows 2000-based server in a workgroup.

Cause

On a computer that does not receive domain policies (such as a server that is joined to a Windows NT 4.0-based domain or is joined to a workgroup), security extensions are not registered with the local Group Policy engine until a change is made in the local security policy editor. A single one-time change will register the extension.

Resolution

To work around this behavior, use either of the following methods.

Method 1

Manually change a policy in the Local Group Policy snap-in one time.

Method 2

If you want to use an automated solution, follow these steps:

  1. Use the following command to apply the security template
    secedit /configure /db databse.sdb /cfg yourtemplate.inf
    where database.sdb is the name of your database and yourtemplate.inf is the security template that you want to apply.


  2. Create a new text file named Gpt.ini. Paste the following text into the Gpt.ini file:
    [General]
    gPCFunctionalityVersion=2
    gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
    Version=4
  3. Save and then close the file.
  4. Replace the existing Gpt.ini file in the %SystemRoot%\System32\GroupPolicy folder on the Windows 2000-based server with the new Gpt.ini file.
  5. At a command prompt, run the following command:
    secedit /refreshpolicy machine_policy /enforce
The information in the new Gpt.ini file registers the security extension with the local Group Policy engine. When you start the Local Group Policy snap-in, the current settings from the security template are shown.

Status

This behavior is by design.
Propriedades

ID do Artigo: 329055 - Última Revisão: 19 de jun de 2014 - Revisão: 1

Comentários