Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: security policy 'not specified' option

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: security policy 'not specified' option
Date: Fri, 21 Oct 2005 07:57:31 -0400 
 


-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com] 
Sent: Thursday, October 20, 2005 4:57 PM
To: focus-ms@securityfocus.com
Subject: security policy 'not specified' option

Some time back I used a security policy editor that had 3 options:
enabled, disabled, and 'unset'. By not setting it either way, 
the machine inherited the domain settings. Unfortunately the 
standard system policy editors shipped with 2K/2K3/XP don't 
appear to have that 3rd option which means now I've got all 
kinds of machine running with who knows what setting and 
ignoring the domain policy. And once you've selected 
en/disabled via the radio box, there isn't a way to unset it.
How do I dig myself out of this?

I probably can play Registry Magic and accomplish what I need 
but I could have sworn I had a tool that would let me do what 
I used to be able to do.

any ideas?



I use Microsoft's Group Policy Management Console (GPMC) so I can't
verify my recollection on the standard Windows 2003 Group Policy editor,
but as I recall, there are usually three options: "enabled", "disabled",
and "not defined". When you choose "not defined", the local security
policy looks up the Group Policy chain by default (you can change it) in
the following order:

1. Enforced Policies from top-level down
2. Local OU GPOs
3. Parent OU GPOs from the bottom-level up
4. Microsoft defaults

By default, the Resultant Set of Policy (RSoP) for the domain is applied
to the local computer. I don't know if you can turn this off (and why?)
but by default it works. I would advise getting the GPMC as it makes the
whole Group Policy process easier to understand and implement.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4
b35-9272-dd3cbfc81887&DisplayLang=en

If you think that the machines aren't getting the group policy (and they
are Windows XP/2003-based) you can run gpupdate /force to apply the
domain group policy and then check the event log to see if there were
any errors. Also you should run netdiag and dcdiag on your domain
controllers to make sure things are working happily.

As a test, set the Computer Configuration -> Windows Settings ->
Security Settings -> Local Policies/Security Options -> Interactive
Logon: "Message text for users attempting to log on" to something and
then see if your domain computers start displaying the message.

Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Account Lockout Policy, Mike MacNeill
Next by Date:  Account Lockout Policy, AlonsoII
Previous by Thread:  Re: security policy 'not specified' option, Slawek
Next by Thread:  RE: security policy 'not specified' option, Laura A. Robinson
Indexes:  [Date] [Thread] [Top] [All Lists]