GPO vs. LGPO settings in Security Options

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation, check the
settings in 'Security Options', the settings are named different than on my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users and
on W2k DC I only have Restrict DC-ROM access to locally logged on users.

I downloaded the W2K3 Policysettings XLS sheet and the names present for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the 'Security
Options' come from?

Any help would be greatly appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows 2000
domain, you can update the .adm files on your DC's by downloading the latest
..adm files (which are currently Windows XP SP2). These can be downloaded
from:

http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows XP
client. For this you can use GPMC:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"William P" <WilliamP@discussions.microsoft.com> wrote in message
news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
>I have been testing my Domain-wide GPOs on XP SP2 workstations and have
> noticed that when I open 'Local Security Policy' on a workstation, check
> the
> settings in 'Security Options', the settings are named different than on
> my
> W2K domain controller. For example:
>
> Devices: Restrict DC-ROM access to locally logged on users and
> on W2k DC I only have Restrict DC-ROM access to locally logged on users.
>
> I downloaded the W2K3 Policysettings XLS sheet and the names present for
> 'Security Options' are the same as what I see when opening the 'Local
> Security Policy'. But different from what I see when I open a GPO in my
> domain using the MMC.
>
> Why is this?
>
> My second question is: Where does the text description for the 'Security
> Options' come from?
>
> Any help would be greatly appreciated.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Mark,

This is true for certain policy settings, however, when you look in Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the descriptions are
different than they appear in a GPO in the domain.

Can you clarify this please?

William


"Mark Renoden [MSFT]" wrote:

> Hi William
>
> The policy text comes from the appropriate .adm file in the %windor%\inf
> folder. The policy text (and descriptions) have simply evolved between
> Windows versions. If you're running Windows XP clients in your Windows 2000
> domain, you can update the .adm files on your DC's by downloading the latest
> ..adm files (which are currently Windows XP SP2). These can be downloaded
> from:
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
>
> If you do this, beware of:
>
> http://support.microsoft.com/default.aspx?kbid=842933
>
> The alternative is to edit the GPO's as an Administrator from a Windows XP
> client. For this you can use GPMC:
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
> >I have been testing my Domain-wide GPOs on XP SP2 workstations and have
> > noticed that when I open 'Local Security Policy' on a workstation, check
> > the
> > settings in 'Security Options', the settings are named different than on
> > my
> > W2K domain controller. For example:
> >
> > Devices: Restrict DC-ROM access to locally logged on users and
> > on W2k DC I only have Restrict DC-ROM access to locally logged on users.
> >
> > I downloaded the W2K3 Policysettings XLS sheet and the names present for
> > 'Security Options' are the same as what I see when opening the 'Local
> > Security Policy'. But different from what I see when I open a GPO in my
> > domain using the MMC.
> >
> > Why is this?
> >
> > My second question is: Where does the text description for the 'Security
> > Options' come from?
> >
> > Any help would be greatly appreciated.
> >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi William

I'm not sure where these are stored (if they are in a file anywhere). It
may be the case that they are hardcoded. As with the .adm based policies,
the names of the settings have evolved with the operating system.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"William P" <WilliamP@discussions.microsoft.com> wrote in message
news:944B8DC6-7B6F-4151-B9CF-001B3E7A5FE3@microsoft.com...
> Thanks Mark,
>
> This is true for certain policy settings, however, when you look in
> Computer
> Configuration \ Windows Settings \ Security Settings \ Local Policies \
> 'Security Options', these settings are do not come from an ADM-template
> file.
> The setting, for example:
> Accounts: Rename Guest Account
>
> is not present in a ADM-template file.
>
> This is why I was wondering where the text descriptions for the settings
> found under 'Security Options' are located.
>
> By starting Local Security Policy on an XP workstation, the descriptions
> are
> different than they appear in a GPO in the domain.
>
> Can you clarify this please?
>
> William
>
>
> "Mark Renoden [MSFT]" wrote:
>
>> Hi William
>>
>> The policy text comes from the appropriate .adm file in the %windor%\inf
>> folder. The policy text (and descriptions) have simply evolved between
>> Windows versions. If you're running Windows XP clients in your Windows
>> 2000
>> domain, you can update the .adm files on your DC's by downloading the
>> latest
>> ..adm files (which are currently Windows XP SP2). These can be
>> downloaded
>> from:
>>
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
>>
>> If you do this, beware of:
>>
>> http://support.microsoft.com/default.aspx?kbid=842933
>>
>> The alternative is to edit the GPO's as an Administrator from a Windows
>> XP
>> client. For this you can use GPMC:
>>
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "William P" <WilliamP@discussions.microsoft.com> wrote in message
>> news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
>> >I have been testing my Domain-wide GPOs on XP SP2 workstations and have
>> > noticed that when I open 'Local Security Policy' on a workstation,
>> > check
>> > the
>> > settings in 'Security Options', the settings are named different than
>> > on
>> > my
>> > W2K domain controller. For example:
>> >
>> > Devices: Restrict DC-ROM access to locally logged on users
>> > and
>> > on W2k DC I only have Restrict DC-ROM access to locally logged on
>> > users.
>> >
>> > I downloaded the W2K3 Policysettings XLS sheet and the names present
>> > for
>> > 'Security Options' are the same as what I see when opening the 'Local
>> > Security Policy'. But different from what I see when I open a GPO in my
>> > domain using the MMC.
>> >
>> > Why is this?
>> >
>> > My second question is: Where does the text description for the
>> > 'Security
>> > Options' come from?
>> >
>> > Any help would be greatly appreciated.
>> >
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Marrk,

The reason I ask this is because I imported the XP SP2 adm-templates into
our W2K domain and I don't see the new 'Security Options' setting
descriptions and was wondering if there is a way to be able to see them.
Presently, our domains are 100% W2K servers and in the future we will be
prepping our Schema to allow for W2K3 DCs. Once we have W2K3 DCs, will the
setting descriptions change to those seen in the 'PolicySettings.XLS file
which can be downloaded from Microsoft?

Also, after introducing W2K3 DCs into our environment, we will then be
having a mixture of W2K and W2K3 DCs. When I open a GPO, which text
descriptions will I be seeing?

William

"Mark Renoden [MSFT]" wrote:

> Hi William
>
> I'm not sure where these are stored (if they are in a file anywhere). It
> may be the case that they are hardcoded. As with the .adm based policies,
> the names of the settings have evolved with the operating system.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> news:944B8DC6-7B6F-4151-B9CF-001B3E7A5FE3@microsoft.com...
> > Thanks Mark,
> >
> > This is true for certain policy settings, however, when you look in
> > Computer
> > Configuration \ Windows Settings \ Security Settings \ Local Policies \
> > 'Security Options', these settings are do not come from an ADM-template
> > file.
> > The setting, for example:
> > Accounts: Rename Guest Account
> >
> > is not present in a ADM-template file.
> >
> > This is why I was wondering where the text descriptions for the settings
> > found under 'Security Options' are located.
> >
> > By starting Local Security Policy on an XP workstation, the descriptions
> > are
> > different than they appear in a GPO in the domain.
> >
> > Can you clarify this please?
> >
> > William
> >
> >
> > "Mark Renoden [MSFT]" wrote:
> >
> >> Hi William
> >>
> >> The policy text comes from the appropriate .adm file in the %windor%\inf
> >> folder. The policy text (and descriptions) have simply evolved between
> >> Windows versions. If you're running Windows XP clients in your Windows
> >> 2000
> >> domain, you can update the .adm files on your DC's by downloading the
> >> latest
> >> ..adm files (which are currently Windows XP SP2). These can be
> >> downloaded
> >> from:
> >>
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
> >>
> >> If you do this, beware of:
> >>
> >> http://support.microsoft.com/default.aspx?kbid=842933
> >>
> >> The alternative is to edit the GPO's as an Administrator from a Windows
> >> XP
> >> client. For this you can use GPMC:
> >>
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: markreno@online.microsoft.com
> >>
> >> Please note you'll need to strip ".online" from my email address to email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> >> news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
> >> >I have been testing my Domain-wide GPOs on XP SP2 workstations and have
> >> > noticed that when I open 'Local Security Policy' on a workstation,
> >> > check
> >> > the
> >> > settings in 'Security Options', the settings are named different than
> >> > on
> >> > my
> >> > W2K domain controller. For example:
> >> >
> >> > Devices: Restrict DC-ROM access to locally logged on users
> >> > and
> >> > on W2k DC I only have Restrict DC-ROM access to locally logged on
> >> > users.
> >> >
> >> > I downloaded the W2K3 Policysettings XLS sheet and the names present
> >> > for
> >> > 'Security Options' are the same as what I see when opening the 'Local
> >> > Security Policy'. But different from what I see when I open a GPO in my
> >> > domain using the MMC.
> >> >
> >> > Why is this?
> >> >
> >> > My second question is: Where does the text description for the
> >> > 'Security
> >> > Options' come from?
> >> >
> >> > Any help would be greatly appreciated.
> >> >
> >>
> >>
> >>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Mark,

The descriptions are located in %windir%\inf\sceregvl.inf.

Is it possible to replace the XP version of this file with the one on my W2K
DC?

William
"Mark Renoden [MSFT]" wrote:

> Hi William
>
> I'm not sure where these are stored (if they are in a file anywhere). It
> may be the case that they are hardcoded. As with the .adm based policies,
> the names of the settings have evolved with the operating system.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> news:944B8DC6-7B6F-4151-B9CF-001B3E7A5FE3@microsoft.com...
> > Thanks Mark,
> >
> > This is true for certain policy settings, however, when you look in
> > Computer
> > Configuration \ Windows Settings \ Security Settings \ Local Policies \
> > 'Security Options', these settings are do not come from an ADM-template
> > file.
> > The setting, for example:
> > Accounts: Rename Guest Account
> >
> > is not present in a ADM-template file.
> >
> > This is why I was wondering where the text descriptions for the settings
> > found under 'Security Options' are located.
> >
> > By starting Local Security Policy on an XP workstation, the descriptions
> > are
> > different than they appear in a GPO in the domain.
> >
> > Can you clarify this please?
> >
> > William
> >
> >
> > "Mark Renoden [MSFT]" wrote:
> >
> >> Hi William
> >>
> >> The policy text comes from the appropriate .adm file in the %windor%\inf
> >> folder. The policy text (and descriptions) have simply evolved between
> >> Windows versions. If you're running Windows XP clients in your Windows
> >> 2000
> >> domain, you can update the .adm files on your DC's by downloading the
> >> latest
> >> ..adm files (which are currently Windows XP SP2). These can be
> >> downloaded
> >> from:
> >>
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
> >>
> >> If you do this, beware of:
> >>
> >> http://support.microsoft.com/default.aspx?kbid=842933
> >>
> >> The alternative is to edit the GPO's as an Administrator from a Windows
> >> XP
> >> client. For this you can use GPMC:
> >>
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: markreno@online.microsoft.com
> >>
> >> Please note you'll need to strip ".online" from my email address to email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> >> news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
> >> >I have been testing my Domain-wide GPOs on XP SP2 workstations and have
> >> > noticed that when I open 'Local Security Policy' on a workstation,
> >> > check
> >> > the
> >> > settings in 'Security Options', the settings are named different than
> >> > on
> >> > my
> >> > W2K domain controller. For example:
> >> >
> >> > Devices: Restrict DC-ROM access to locally logged on users
> >> > and
> >> > on W2k DC I only have Restrict DC-ROM access to locally logged on
> >> > users.
> >> >
> >> > I downloaded the W2K3 Policysettings XLS sheet and the names present
> >> > for
> >> > 'Security Options' are the same as what I see when opening the 'Local
> >> > Security Policy'. But different from what I see when I open a GPO in my
> >> > domain using the MMC.
> >> >
> >> > Why is this?
> >> >
> >> > My second question is: Where does the text description for the
> >> > 'Security
> >> > Options' come from?
> >> >
> >> > Any help would be greatly appreciated.
> >> >
> >>
> >>
> >>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi William

Your best bet is to administer the policies from a Windows XP machine using
GPMC or the Admin Tools:

GPMC

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Adminpak

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

You will see the descriptions that correspond to the operating system you
are editing the policy from. You may be able to use the information from
the following knowledge base article to copy the XP sceregvl.inf file to
Windows 2000 machines but I'd consider just using an XP client as an
administration station.

214752 How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/?id=214752

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"William P" <WilliamP@discussions.microsoft.com> wrote in message
news:C91C961C-47F5-4156-9A41-B8AEE4778D6A@microsoft.com...
> Mark,
>
> The descriptions are located in %windir%\inf\sceregvl.inf.
>
> Is it possible to replace the XP version of this file with the one on my
> W2K
> DC?
>
> William
> "Mark Renoden [MSFT]" wrote:
>
>> Hi William
>>
>> I'm not sure where these are stored (if they are in a file anywhere). It
>> may be the case that they are hardcoded. As with the .adm based
>> policies,
>> the names of the settings have evolved with the operating system.
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "William P" <WilliamP@discussions.microsoft.com> wrote in message
>> news:944B8DC6-7B6F-4151-B9CF-001B3E7A5FE3@microsoft.com...
>> > Thanks Mark,
>> >
>> > This is true for certain policy settings, however, when you look in
>> > Computer
>> > Configuration \ Windows Settings \ Security Settings \ Local Policies \
>> > 'Security Options', these settings are do not come from an ADM-template
>> > file.
>> > The setting, for example:
>> > Accounts: Rename Guest Account
>> >
>> > is not present in a ADM-template file.
>> >
>> > This is why I was wondering where the text descriptions for the
>> > settings
>> > found under 'Security Options' are located.
>> >
>> > By starting Local Security Policy on an XP workstation, the
>> > descriptions
>> > are
>> > different than they appear in a GPO in the domain.
>> >
>> > Can you clarify this please?
>> >
>> > William
>> >
>> >
>> > "Mark Renoden [MSFT]" wrote:
>> >
>> >> Hi William
>> >>
>> >> The policy text comes from the appropriate .adm file in the
>> >> %windor%\inf
>> >> folder. The policy text (and descriptions) have simply evolved
>> >> between
>> >> Windows versions. If you're running Windows XP clients in your
>> >> Windows
>> >> 2000
>> >> domain, you can update the .adm files on your DC's by downloading the
>> >> latest
>> >> ..adm files (which are currently Windows XP SP2). These can be
>> >> downloaded
>> >> from:
>> >>
>> >>
>> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
>> >>
>> >> If you do this, beware of:
>> >>
>> >> http://support.microsoft.com/default.aspx?kbid=842933
>> >>
>> >> The alternative is to edit the GPO's as an Administrator from a
>> >> Windows
>> >> XP
>> >> client. For this you can use GPMC:
>> >>
>> >>
>> >> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
>> >>
>> >> Kind regards
>> >> --
>> >> Mark Renoden [MSFT]
>> >> Windows Platform Support Team
>> >> Email: markreno@online.microsoft.com
>> >>
>> >> Please note you'll need to strip ".online" from my email address to
>> >> email
>> >> me; I'll post a response back to the group.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "William P" <WilliamP@discussions.microsoft.com> wrote in message
>> >> news:26A30D78-5D36-4384-A3A0-A720C3C575D2@microsoft.com...
>> >> >I have been testing my Domain-wide GPOs on XP SP2 workstations and
>> >> >have
>> >> > noticed that when I open 'Local Security Policy' on a workstation,
>> >> > check
>> >> > the
>> >> > settings in 'Security Options', the settings are named different
>> >> > than
>> >> > on
>> >> > my
>> >> > W2K domain controller. For example:
>> >> >
>> >> > Devices: Restrict DC-ROM access to locally logged on users
>> >> > and
>> >> > on W2k DC I only have Restrict DC-ROM access to locally logged on
>> >> > users.
>> >> >
>> >> > I downloaded the W2K3 Policysettings XLS sheet and the names present
>> >> > for
>> >> > 'Security Options' are the same as what I see when opening the
>> >> > 'Local
>> >> > Security Policy'. But different from what I see when I open a GPO in
>> >> > my
>> >> > domain using the MMC.
>> >> >
>> >> > Why is this?
>> >> >
>> >> > My second question is: Where does the text description for the
>> >> > 'Security
>> >> > Options' come from?
>> >> >
>> >> > Any help would be greatly appreciated.
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>