Edit a "local policy" from a remote machine?

  • Thread starter Thread starter Gerry Hickman
  • Start date Start date
G

Gerry Hickman

Hi,

Is there any way to edit a local security policy from a remote machine;
e.g. when you don't want a domain policy to stomp the local settings,
but need to change some of them?
 
You can create a Security Template with the changes you need to implement
and then use secedit to apply those settings via Group Policy startup script
but it really might be easier to create an Organizational Unit with it's own
GPO with defined settings that would override domain policy. You could also
create the Security Template, copy it to the target computer, and use the
free psexec tool from SysInternals to remotely use secedit to configure the
remote computer with the template. Security Templates are accessed and
created/modified with the mmc snapin for Security Templates. --- Steve

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- psexec
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321679 -- manage
Security Templates
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx
-- secedit syntax.
 
Hi Steven,
You can create a Security Template with the changes you need to implement
and then use secedit to apply those settings via Group Policy startup script
Click to expand...

The problem with that, is that it would need a reboot?
but it really might be easier to create an Organizational Unit with it's own
GPO with defined settings that would override domain policy.
Click to expand...

See "User Rights Assignment" thread, this doesn't seem to work. It would
blast identical settings into all LSPs instead of just adding a few
things here and there?
You could also
create the Security Template, copy it to the target computer, and use the
free psexec tool from SysInternals
Click to expand...

OK, good idea.

What I tried today (which seems to work for user rights) is the
NTRIGHTS.EXE utility from the Win2k reskit. You can add rights to remote
computers without a reboot! I made a WSH script to loop through all
computers adding the new service account I needed, then I started the
services using WMI. I did this while everyone was logged in and it
worked a treat.
 
Cool. Ntrights is a great utility. That is a great way to do it with a
script that does not require a reboot. Thanks for reporting back what worked
for you. --- Steve
 
Hi Steven,
Cool. Ntrights is a great utility. That is a great way to do it with a
script that does not require a reboot. Thanks for reporting back what worked
for you. --- Steve
Click to expand...

Certainly a handy utility, but there's a few things I don't understand:

1. It does not seem to be documented in the Win2k ResKit documentation?
2. It can not be used to merely "read" the existing rights?
3. I can't believe there's no proper way to script the LSP user rights,
and that you can't edit them in MMC either unless you're physically
sitting in front of the computer!
 
If you have not tried Dumppec from Somarsoft [free] it can do a lot of neat
tricks including dumping effective user rights on a computer and you can use
it to connect to remote computers.

http://www.somarsoft.com/somarsoft_main.htm

In XP Pro, you can use Remote Desktop to manage Local Security Policy on
remote computer. With W2K we are currently stuck with tools like ntrights or
secedit and security templates. --- Steve
 
Back
Top