Sign in with
Sign up | Sign in
Your question

Edit a "local policy" from a remote machine?

Last response: in Windows 2000/NT
Share
Anonymous
December 6, 2004 11:02:36 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Is there any way to edit a local security policy from a remote machine;
e.g. when you don't want a domain policy to stomp the local settings,
but need to change some of them?

--
Gerry Hickman (London UK)
Anonymous
December 7, 2004 5:32:05 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can create a Security Template with the changes you need to implement
and then use secedit to apply those settings via Group Policy startup script
but it really might be easier to create an Organizational Unit with it's own
GPO with defined settings that would override domain policy. You could also
create the Security Template, copy it to the target computer, and use the
free psexec tool from SysInternals to remotely use secedit to configure the
remote computer with the template. Security Templates are accessed and
created/modified with the mmc snapin for Security Templates. --- Steve

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- psexec
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321679 -- manage
Security Templates
http://www.microsoft.com/resources/documentation/window...
-- secedit syntax.

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:ewzuH682EHA.3472@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> Is there any way to edit a local security policy from a remote machine;
> e.g. when you don't want a domain policy to stomp the local settings, but
> need to change some of them?
>
> --
> Gerry Hickman (London UK)
Anonymous
December 8, 2004 2:10:07 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Steven,

> You can create a Security Template with the changes you need to implement
> and then use secedit to apply those settings via Group Policy startup script

The problem with that, is that it would need a reboot?

> but it really might be easier to create an Organizational Unit with it's own
> GPO with defined settings that would override domain policy.

See "User Rights Assignment" thread, this doesn't seem to work. It would
blast identical settings into all LSPs instead of just adding a few
things here and there?

> You could also
> create the Security Template, copy it to the target computer, and use the
> free psexec tool from SysInternals

OK, good idea.

What I tried today (which seems to work for user rights) is the
NTRIGHTS.EXE utility from the Win2k reskit. You can add rights to remote
computers without a reboot! I made a WSH script to loop through all
computers adding the new service account I needed, then I started the
services using WMI. I did this while everyone was logged in and it
worked a treat.

--
Gerry Hickman (London UK)
Related resources
Anonymous
December 8, 2004 4:25:46 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Cool. Ntrights is a great utility. That is a great way to do it with a
script that does not require a reboot. Thanks for reporting back what worked
for you. --- Steve


"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:o HPKkHL3EHA.3756@TK2MSFTNGP14.phx.gbl...
> Hi Steven,
>
>> You can create a Security Template with the changes you need to implement
>> and then use secedit to apply those settings via Group Policy startup
>> script
>
> The problem with that, is that it would need a reboot?
>
>> but it really might be easier to create an Organizational Unit with it's
>> own GPO with defined settings that would override domain policy.
>
> See "User Rights Assignment" thread, this doesn't seem to work. It would
> blast identical settings into all LSPs instead of just adding a few things
> here and there?
>
>> You could also create the Security Template, copy it to the target
>> computer, and use the free psexec tool from SysInternals
>
> OK, good idea.
>
> What I tried today (which seems to work for user rights) is the
> NTRIGHTS.EXE utility from the Win2k reskit. You can add rights to remote
> computers without a reboot! I made a WSH script to loop through all
> computers adding the new service account I needed, then I started the
> services using WMI. I did this while everyone was logged in and it worked
> a treat.
>
> --
> Gerry Hickman (London UK)
Anonymous
December 8, 2004 11:25:43 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Steven,

> Cool. Ntrights is a great utility. That is a great way to do it with a
> script that does not require a reboot. Thanks for reporting back what worked
> for you. --- Steve

Certainly a handy utility, but there's a few things I don't understand:

1. It does not seem to be documented in the Win2k ResKit documentation?
2. It can not be used to merely "read" the existing rights?
3. I can't believe there's no proper way to script the LSP user rights,
and that you can't edit them in MMC either unless you're physically
sitting in front of the computer!

--
Gerry Hickman (London UK)
Anonymous
December 9, 2004 6:41:39 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you have not tried Dumppec from Somarsoft [free] it can do a lot of neat
tricks including dumping effective user rights on a computer and you can use
it to connect to remote computers.

http://www.somarsoft.com/somarsoft_main.htm

In XP Pro, you can use Remote Desktop to manage Local Security Policy on
remote computer. With W2K we are currently stuck with tools like ntrights or
secedit and security templates. --- Steve

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:eRyFXQW3EHA.2592@TK2MSFTNGP09.phx.gbl...
> Hi Steven,
>
>> Cool. Ntrights is a great utility. That is a great way to do it with a
>> script that does not require a reboot. Thanks for reporting back what
>> worked for you. --- Steve
>
> Certainly a handy utility, but there's a few things I don't understand:
>
> 1. It does not seem to be documented in the Win2k ResKit documentation?
> 2. It can not be used to merely "read" the existing rights?
> 3. I can't believe there's no proper way to script the LSP user rights,
> and that you can't edit them in MMC either unless you're physically
> sitting in front of the computer!
>
> --
> Gerry Hickman (London UK)
!