Edit a "local policy" from a remote machine?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Is there any way to edit a local security policy from a remote machine;
e.g. when you don't want a domain policy to stomp the local settings,
but need to change some of them?

--
Gerry Hickman (London UK)
5 answers Last reply
More about edit local policy remote machine
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You can create a Security Template with the changes you need to implement
    and then use secedit to apply those settings via Group Policy startup script
    but it really might be easier to create an Organizational Unit with it's own
    GPO with defined settings that would override domain policy. You could also
    create the Security Template, copy it to the target computer, and use the
    free psexec tool from SysInternals to remotely use secedit to configure the
    remote computer with the template. Security Templates are accessed and
    created/modified with the mmc snapin for Security Templates. --- Steve

    http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- psexec
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321679 -- manage
    Security Templates
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx
    -- secedit syntax.

    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:ewzuH682EHA.3472@TK2MSFTNGP09.phx.gbl...
    > Hi,
    >
    > Is there any way to edit a local security policy from a remote machine;
    > e.g. when you don't want a domain policy to stomp the local settings, but
    > need to change some of them?
    >
    > --
    > Gerry Hickman (London UK)
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Steven,

    > You can create a Security Template with the changes you need to implement
    > and then use secedit to apply those settings via Group Policy startup script

    The problem with that, is that it would need a reboot?

    > but it really might be easier to create an Organizational Unit with it's own
    > GPO with defined settings that would override domain policy.

    See "User Rights Assignment" thread, this doesn't seem to work. It would
    blast identical settings into all LSPs instead of just adding a few
    things here and there?

    > You could also
    > create the Security Template, copy it to the target computer, and use the
    > free psexec tool from SysInternals

    OK, good idea.

    What I tried today (which seems to work for user rights) is the
    NTRIGHTS.EXE utility from the Win2k reskit. You can add rights to remote
    computers without a reboot! I made a WSH script to loop through all
    computers adding the new service account I needed, then I started the
    services using WMI. I did this while everyone was logged in and it
    worked a treat.

    --
    Gerry Hickman (London UK)
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Cool. Ntrights is a great utility. That is a great way to do it with a
    script that does not require a reboot. Thanks for reporting back what worked
    for you. --- Steve


    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:OHPKkHL3EHA.3756@TK2MSFTNGP14.phx.gbl...
    > Hi Steven,
    >
    >> You can create a Security Template with the changes you need to implement
    >> and then use secedit to apply those settings via Group Policy startup
    >> script
    >
    > The problem with that, is that it would need a reboot?
    >
    >> but it really might be easier to create an Organizational Unit with it's
    >> own GPO with defined settings that would override domain policy.
    >
    > See "User Rights Assignment" thread, this doesn't seem to work. It would
    > blast identical settings into all LSPs instead of just adding a few things
    > here and there?
    >
    >> You could also create the Security Template, copy it to the target
    >> computer, and use the free psexec tool from SysInternals
    >
    > OK, good idea.
    >
    > What I tried today (which seems to work for user rights) is the
    > NTRIGHTS.EXE utility from the Win2k reskit. You can add rights to remote
    > computers without a reboot! I made a WSH script to loop through all
    > computers adding the new service account I needed, then I started the
    > services using WMI. I did this while everyone was logged in and it worked
    > a treat.
    >
    > --
    > Gerry Hickman (London UK)
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Steven,

    > Cool. Ntrights is a great utility. That is a great way to do it with a
    > script that does not require a reboot. Thanks for reporting back what worked
    > for you. --- Steve

    Certainly a handy utility, but there's a few things I don't understand:

    1. It does not seem to be documented in the Win2k ResKit documentation?
    2. It can not be used to merely "read" the existing rights?
    3. I can't believe there's no proper way to script the LSP user rights,
    and that you can't edit them in MMC either unless you're physically
    sitting in front of the computer!

    --
    Gerry Hickman (London UK)
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you have not tried Dumppec from Somarsoft [free] it can do a lot of neat
    tricks including dumping effective user rights on a computer and you can use
    it to connect to remote computers.

    http://www.somarsoft.com/somarsoft_main.htm

    In XP Pro, you can use Remote Desktop to manage Local Security Policy on
    remote computer. With W2K we are currently stuck with tools like ntrights or
    secedit and security templates. --- Steve

    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:eRyFXQW3EHA.2592@TK2MSFTNGP09.phx.gbl...
    > Hi Steven,
    >
    >> Cool. Ntrights is a great utility. That is a great way to do it with a
    >> script that does not require a reboot. Thanks for reporting back what
    >> worked for you. --- Steve
    >
    > Certainly a handy utility, but there's a few things I don't understand:
    >
    > 1. It does not seem to be documented in the Win2k ResKit documentation?
    > 2. It can not be used to merely "read" the existing rights?
    > 3. I can't believe there's no proper way to script the LSP user rights,
    > and that you can't edit them in MMC either unless you're physically
    > sitting in front of the computer!
    >
    > --
    > Gerry Hickman (London UK)
Ask a new question

Read More

Policy Microsoft Windows