Applying a security template: one setting not saved to secedit.sdb

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm running Windows 2000 w/SP4 and I recently used the Security
Configuration and Analysis tool to apply a security template. This
security template changed a bunch of values, and I rebooted after it
was applied. Then I checked my Security Settings in gpedit.msc, and
it showed all of the new values, except for those in the Local Policies
\Security Options section. That section still showed all of the old
values for some reason.

Then I came across this article: http://support.microsoft.com/kb/827664

It says that if you use the SCaA tool to apply a template, the values
in the Security Options section may not be updated in the secedit.sdb
database until 16 hours later. I tried the workaround of double-
clicking one of the security options in gpedit.msc and hitting OK, and
then rebooted. This caused gpedit.msc to display all of the new
Security Options values, except for one of them. The "Disable CTRL+ALT
+DEL requirement for logon" policy still displayed the old value of
"Not Defined" (the template sets it to "Disabled").

If I use the SCaA tool and analyze my computer against the security
database that I created with my template, it says that the Database
Setting and Computer Setting are both "Disabled" for the "Disable CTRL
+ALT+DEL requirement for logon" policy. But if I analyze my computer
against my secedit.sdb file, then it says the Database Setting is "Not
Defined" and the Computer Setting is "Disabled" for that policy. So
the setting for that policy got updated in the registry, but it did
not get updated in the secedit.sdb file for some reason.

Any idea why that one policy didn't get updated in the secedit.sdb
file, but all the others did?
 
Back
Top