Sign in with
Sign up | Sign in
Your question

Local security settings - secedit

Tags:
  • Security
  • Domain
  • Servers
  • Windows
Last response: in Windows 2000/NT
Share
November 24, 2004 5:50:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Local security settings - secedit

I am trying to export local security settings using secedit on windows
2003.

secedit /export /cfg local.inf /log local.log
secedit /export / mergedpolicy /cfg merged.inf /log merged.log

My understanding is the first call gives local settings even if the
server is connected to domain and domain policy settings are
overriding.

Second command gives the merged polices from domain based GPOs. The
number of settings are differenr in both cases, but the values always
seems to be domain values.

Example: If I have minimum password length set to 8 chars on local and
10 chars on domain, both the above commands gives 10 chars.

I take the server out of domain (make it a stand alone server) then I
get a value of 8 on both cases.

Any one else see this behavior? How do I dump settings from local
secedit.sdb?

Thanks

Ravi

More about : local security settings secedit

Anonymous
a b 8 Security
November 25, 2004 5:53:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I don't believe you can export the true local security settings of a domain
computer. I found results similar to yours. For Windows 2003 when you are
using the secedit /export command you really are exporting the "effective"
settings for the computer's security policy . When you use the /mergedpolicy
switch you are exporting those security settings that are defined at the
domain/OU level that are overriding the local settings. I suppose if you
want to find the true local settings [other than password policy possibly]
you could create an OU with block inheritance enabled on it and move your
computer into it, refresh the Group Policy on the domain controller and
reboot the domain computer you want to analyze. --- Steve


"ravi" <ravicreddy@gmail.com> wrote in message
news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
> Hello,
>
> Local security settings - secedit
>
> I am trying to export local security settings using secedit on windows
> 2003.
>
> secedit /export /cfg local.inf /log local.log
> secedit /export / mergedpolicy /cfg merged.inf /log merged.log
>
> My understanding is the first call gives local settings even if the
> server is connected to domain and domain policy settings are
> overriding.
>
> Second command gives the merged polices from domain based GPOs. The
> number of settings are differenr in both cases, but the values always
> seems to be domain values.
>
> Example: If I have minimum password length set to 8 chars on local and
> 10 chars on domain, both the above commands gives 10 chars.
>
> I take the server out of domain (make it a stand alone server) then I
> get a value of 8 on both cases.
>
> Any one else see this behavior? How do I dump settings from local
> secedit.sdb?
>
> Thanks
>
> Ravi
>
Anonymous
a b 8 Security
November 27, 2004 1:54:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If the workstation has never had any changes made to the local, then you can
simply view C:\WINDOWS\security\templates\setup security.inf
This is the out of the box security template applied to all XP workstations.


--
Glenn L

CCNA, MCSE (2000,2003) + Security
"Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
news:iObpd.95395$5K2.65332@attbi_s03...
>I don't believe you can export the true local security settings of a domain
> computer. I found results similar to yours. For Windows 2003 when you are
> using the secedit /export command you really are exporting the "effective"
> settings for the computer's security policy . When you use the
> /mergedpolicy
> switch you are exporting those security settings that are defined at the
> domain/OU level that are overriding the local settings. I suppose if you
> want to find the true local settings [other than password policy possibly]
> you could create an OU with block inheritance enabled on it and move your
> computer into it, refresh the Group Policy on the domain controller and
> reboot the domain computer you want to analyze. --- Steve
>
>
> "ravi" <ravicreddy@gmail.com> wrote in message
> news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
>> Hello,
>>
>> Local security settings - secedit
>>
>> I am trying to export local security settings using secedit on windows
>> 2003.
>>
>> secedit /export /cfg local.inf /log local.log
>> secedit /export / mergedpolicy /cfg merged.inf /log merged.log
>>
>> My understanding is the first call gives local settings even if the
>> server is connected to domain and domain policy settings are
>> overriding.
>>
>> Second command gives the merged polices from domain based GPOs. The
>> number of settings are differenr in both cases, but the values always
>> seems to be domain values.
>>
>> Example: If I have minimum password length set to 8 chars on local and
>> 10 chars on domain, both the above commands gives 10 chars.
>>
>> I take the server out of domain (make it a stand alone server) then I
>> get a value of 8 on both cases.
>>
>> Any one else see this behavior? How do I dump settings from local
>> secedit.sdb?
>>
>> Thanks
>>
>> Ravi
>>
>
>
Related resources
Anonymous
a b 8 Security
November 27, 2004 9:23:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That is a big if which is what I think he is trying to determine. --- Steve


"Glenn L" <the.only(delete)@gmail.com> wrote in message
news:uLeAJ1E1EHA.3324@tk2msftngp13.phx.gbl...
>
> If the workstation has never had any changes made to the local, then you
> can simply view C:\WINDOWS\security\templates\setup security.inf
> This is the out of the box security template applied to all XP
> workstations.
>
>
> --
> Glenn L
>
> CCNA, MCSE (2000,2003) + Security
> "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
> news:iObpd.95395$5K2.65332@attbi_s03...
>>I don't believe you can export the true local security settings of a
>>domain
>> computer. I found results similar to yours. For Windows 2003 when you are
>> using the secedit /export command you really are exporting the
>> "effective"
>> settings for the computer's security policy . When you use the
>> /mergedpolicy
>> switch you are exporting those security settings that are defined at the
>> domain/OU level that are overriding the local settings. I suppose if you
>> want to find the true local settings [other than password policy
>> possibly]
>> you could create an OU with block inheritance enabled on it and move your
>> computer into it, refresh the Group Policy on the domain controller and
>> reboot the domain computer you want to analyze. --- Steve
>>
>>
>> "ravi" <ravicreddy@gmail.com> wrote in message
>> news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
>>> Hello,
>>>
>>> Local security settings - secedit
>>>
>>> I am trying to export local security settings using secedit on windows
>>> 2003.
>>>
>>> secedit /export /cfg local.inf /log local.log
>>> secedit /export / mergedpolicy /cfg merged.inf /log merged.log
>>>
>>> My understanding is the first call gives local settings even if the
>>> server is connected to domain and domain policy settings are
>>> overriding.
>>>
>>> Second command gives the merged polices from domain based GPOs. The
>>> number of settings are differenr in both cases, but the values always
>>> seems to be domain values.
>>>
>>> Example: If I have minimum password length set to 8 chars on local and
>>> 10 chars on domain, both the above commands gives 10 chars.
>>>
>>> I take the server out of domain (make it a stand alone server) then I
>>> get a value of 8 on both cases.
>>>
>>> Any one else see this behavior? How do I dump settings from local
>>> secedit.sdb?
>>>
>>> Thanks
>>>
>>> Ravi
>>>
>>
>>
>
>
Anonymous
a b 8 Security
November 30, 2004 11:33:26 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve,

Do you know where these local settings stored. If I take my 2003
server out of domain (moved to workgroup). I can see these settings in
local security settings MMC.

What is the use of secedit.sdb in 2003? I copied this to another
directory and ran a secedit /export on this db. The exported file is
empty. I am not sure any settings are stored in this DB in 2003. A
quick search through registry did not find anything either.

Ravi

"Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message news:<iObpd.95395$5K2.65332@attbi_s03>...
> I don't believe you can export the true local security settings of a domain
> computer. I found results similar to yours. For Windows 2003 when you are
> using the secedit /export command you really are exporting the "effective"
> settings for the computer's security policy . When you use the /mergedpolicy
> switch you are exporting those security settings that are defined at the
> domain/OU level that are overriding the local settings. I suppose if you
> want to find the true local settings [other than password policy possibly]
> you could create an OU with block inheritance enabled on it and move your
> computer into it, refresh the Group Policy on the domain controller and
> reboot the domain computer you want to analyze. --- Steve
>
>
> "ravi" <ravicreddy@gmail.com> wrote in message
> news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
> > Hello,
> >
> > Local security settings - secedit
> >
> > I am trying to export local security settings using secedit on windows
> > 2003.
> >
> > secedit /export /cfg local.inf /log local.log
> > secedit /export / mergedpolicy /cfg merged.inf /log merged.log
> >
> > My understanding is the first call gives local settings even if the
> > server is connected to domain and domain policy settings are
> > overriding.
> >
> > Second command gives the merged polices from domain based GPOs. The
> > number of settings are differenr in both cases, but the values always
> > seems to be domain values.
> >
> > Example: If I have minimum password length set to 8 chars on local and
> > 10 chars on domain, both the above commands gives 10 chars.
> >
> > I take the server out of domain (make it a stand alone server) then I
> > get a value of 8 on both cases.
> >
> > Any one else see this behavior? How do I dump settings from local
> > secedit.sdb?
> >
> > Thanks
> >
> > Ravi
> >
Anonymous
a b 8 Security
November 30, 2004 10:40:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I don't know the exact mechanics of how it works in Windows 2003. You should
be able to move it to an OU with block inheritance enabled on the OU and
then see the "true" local policy I believe. That would be easier that
removing it from the domain. I suppose it really does not matter that much
as in a domain it is the effective policy that matters and you need to plan
your GPO's carefully to get the expected results. --- Steve


"Ravi Reddy" <ravicreddy@gmail.com> wrote in message
news:660bc1b6.0411300833.7fdda03c@posting.google.com...
> Thanks Steve,
>
> Do you know where these local settings stored. If I take my 2003
> server out of domain (moved to workgroup). I can see these settings in
> local security settings MMC.
>
> What is the use of secedit.sdb in 2003? I copied this to another
> directory and ran a secedit /export on this db. The exported file is
> empty. I am not sure any settings are stored in this DB in 2003. A
> quick search through registry did not find anything either.
>
> Ravi
>
> "Steven L Umbach" <n9rou@N0sPaM-comcast.net> wrote in message
> news:<iObpd.95395$5K2.65332@attbi_s03>...
>> I don't believe you can export the true local security settings of a
>> domain
>> computer. I found results similar to yours. For Windows 2003 when you are
>> using the secedit /export command you really are exporting the
>> "effective"
>> settings for the computer's security policy . When you use the
>> /mergedpolicy
>> switch you are exporting those security settings that are defined at the
>> domain/OU level that are overriding the local settings. I suppose if you
>> want to find the true local settings [other than password policy
>> possibly]
>> you could create an OU with block inheritance enabled on it and move your
>> computer into it, refresh the Group Policy on the domain controller and
>> reboot the domain computer you want to analyze. --- Steve
>>
>>
>> "ravi" <ravicreddy@gmail.com> wrote in message
>> news:1101336638.982662.271510@f14g2000cwb.googlegroups.com...
>> > Hello,
>> >
>> > Local security settings - secedit
>> >
>> > I am trying to export local security settings using secedit on windows
>> > 2003.
>> >
>> > secedit /export /cfg local.inf /log local.log
>> > secedit /export / mergedpolicy /cfg merged.inf /log merged.log
>> >
>> > My understanding is the first call gives local settings even if the
>> > server is connected to domain and domain policy settings are
>> > overriding.
>> >
>> > Second command gives the merged polices from domain based GPOs. The
>> > number of settings are differenr in both cases, but the values always
>> > seems to be domain values.
>> >
>> > Example: If I have minimum password length set to 8 chars on local and
>> > 10 chars on domain, both the above commands gives 10 chars.
>> >
>> > I take the server out of domain (make it a stand alone server) then I
>> > get a value of 8 on both cases.
>> >
>> > Any one else see this behavior? How do I dump settings from local
>> > secedit.sdb?
>> >
>> > Thanks
>> >
>> > Ravi
>> >
!