GPO vs. LGPO settings in Security Options

[Guest]

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation, check the
settings in 'Security Options', the settings are named different than on my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users and
on W2k DC I only have Restrict DC-ROM access to locally logged on users.

I downloaded the W2K3 Policysettings XLS sheet and the names present for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the 'Security
Options' come from?

Any help would be greatly appreciated.

 

[Mark Renoden [MSFT]]

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows 2000
domain, you can update the .adm files on your DC's by downloading the latest
..adm files (which are currently Windows XP SP2). These can be downloaded
from:

http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows XP
client. For this you can use GPMC:

http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks Mark,

This is true for certain policy settings, however, when you look in Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the descriptions are
different than they appear in a GPO in the domain.

Can you clarify this please?

William

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows 2000
domain, you can update the .adm files on your DC's by downloading the latest
..adm files (which are currently Windows XP SP2). These can be downloaded
from:

http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows XP
client. For this you can use GPMC:

http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation, check
the
settings in 'Security Options', the settings are named different than on
my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users and
on W2k DC I only have Restrict DC-ROM access to locally logged on users.

I downloaded the W2K3 Policysettings XLS sheet and the names present for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the 'Security
Options' come from?

Any help would be greatly appreciated.

 

[Mark Renoden [MSFT]]

Hi William

I'm not sure where these are stored (if they are in a file anywhere). It
may be the case that they are hardcoded. As with the .adm based policies,
the names of the settings have evolved with the operating system.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Mark,

This is true for certain policy settings, however, when you look in
Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template
file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the descriptions
are
different than they appear in a GPO in the domain.

Can you clarify this please?

William

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows
2000
domain, you can update the .adm files on your DC's by downloading the
latest
..adm files (which are currently Windows XP SP2). These can be
downloaded
from:


http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows
XP
client. For this you can use GPMC:


http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation,
check
the
settings in 'Security Options', the settings are named different than
on
my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users
and
on W2k DC I only have Restrict DC-ROM access to locally logged on
users.

I downloaded the W2K3 Policysettings XLS sheet and the names present
for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the
'Security
Options' come from?

Any help would be greatly appreciated.

 

[Guest]

Thanks Marrk,

The reason I ask this is because I imported the XP SP2 adm-templates into
our W2K domain and I don't see the new 'Security Options' setting
descriptions and was wondering if there is a way to be able to see them.
Presently, our domains are 100% W2K servers and in the future we will be
prepping our Schema to allow for W2K3 DCs. Once we have W2K3 DCs, will the
setting descriptions change to those seen in the 'PolicySettings.XLS file
which can be downloaded from Microsoft?

Also, after introducing W2K3 DCs into our environment, we will then be
having a mixture of W2K and W2K3 DCs. When I open a GPO, which text
descriptions will I be seeing?

William

Hi William

I'm not sure where these are stored (if they are in a file anywhere). It
may be the case that they are hardcoded. As with the .adm based policies,
the names of the settings have evolved with the operating system.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Mark,

This is true for certain policy settings, however, when you look in
Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template
file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the descriptions
are
different than they appear in a GPO in the domain.

Can you clarify this please?

William

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows
2000
domain, you can update the .adm files on your DC's by downloading the
latest
..adm files (which are currently Windows XP SP2). These can be
downloaded
from:


http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows
XP
client. For this you can use GPMC:


http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation,
check
the
settings in 'Security Options', the settings are named different than
on
my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users
and
on W2k DC I only have Restrict DC-ROM access to locally logged on
users.

I downloaded the W2K3 Policysettings XLS sheet and the names present
for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the
'Security
Options' come from?

Any help would be greatly appreciated.

 

[Guest]

Mark,

The descriptions are located in %windir%\inf\sceregvl.inf.

Is it possible to replace the XP version of this file with the one on my W2K
DC?

William

Hi William

I'm not sure where these are stored (if they are in a file anywhere). It
may be the case that they are hardcoded. As with the .adm based policies,
the names of the settings have evolved with the operating system.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Mark,

This is true for certain policy settings, however, when you look in
Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template
file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the descriptions
are
different than they appear in a GPO in the domain.

Can you clarify this please?

William

Hi William

The policy text comes from the appropriate .adm file in the %windor%\inf
folder. The policy text (and descriptions) have simply evolved between
Windows versions. If you're running Windows XP clients in your Windows
2000
domain, you can update the .adm files on your DC's by downloading the
latest
..adm files (which are currently Windows XP SP2). These can be
downloaded
from:


http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a Windows
XP
client. For this you can use GPMC:


http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have been testing my Domain-wide GPOs on XP SP2 workstations and have
noticed that when I open 'Local Security Policy' on a workstation,
check
the
settings in 'Security Options', the settings are named different than
on
my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users
and
on W2k DC I only have Restrict DC-ROM access to locally logged on
users.

I downloaded the W2K3 Policysettings XLS sheet and the names present
for
'Security Options' are the same as what I see when opening the 'Local
Security Policy'. But different from what I see when I open a GPO in my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the
'Security
Options' come from?

Any help would be greatly appreciated.

 

[Mark Renoden [MSFT]]

Hi William

Your best bet is to administer the policies from a Windows XP machine using
GPMC or the Admin Tools:

GPMC

http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Adminpak

http://www.microsoft.com/downloads/...15-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

You will see the descriptions that correspond to the operating system you
are editing the policy from. You may be able to use the information from
the following knowledge base article to copy the XP sceregvl.inf file to
Windows 2000 machines but I'd consider just using an XP client as an
administration station.

214752 How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/?id=214752

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Mark,

The descriptions are located in %windir%\inf\sceregvl.inf.

Is it possible to replace the XP version of this file with the one on my
W2K
DC?

William

Hi William

I'm not sure where these are stored (if they are in a file anywhere). It
may be the case that they are hardcoded. As with the .adm based
policies,
the names of the settings have evolved with the operating system.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Thanks Mark,

This is true for certain policy settings, however, when you look in
Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
'Security Options', these settings are do not come from an ADM-template
file.
The setting, for example:
Accounts: Rename Guest Account

is not present in a ADM-template file.

This is why I was wondering where the text descriptions for the
settings
found under 'Security Options' are located.

By starting Local Security Policy on an XP workstation, the
descriptions
are
different than they appear in a GPO in the domain.

Can you clarify this please?

William


:

Hi William

The policy text comes from the appropriate .adm file in the
%windor%\inf
folder. The policy text (and descriptions) have simply evolved
between
Windows versions. If you're running Windows XP clients in your
Windows
2000
domain, you can update the .adm files on your DC's by downloading the
latest
..adm files (which are currently Windows XP SP2). These can be
downloaded
from:


http://www.microsoft.com/downloads/...4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

If you do this, beware of:

http://support.microsoft.com/default.aspx?kbid=842933

The alternative is to edit the GPO's as an Administrator from a
Windows
XP
client. For this you can use GPMC:


http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to
email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have been testing my Domain-wide GPOs on XP SP2 workstations and
have
noticed that when I open 'Local Security Policy' on a workstation,
check
the
settings in 'Security Options', the settings are named different
than
on
my
W2K domain controller. For example:

Devices: Restrict DC-ROM access to locally logged on users
and
on W2k DC I only have Restrict DC-ROM access to locally logged on
users.

I downloaded the W2K3 Policysettings XLS sheet and the names present
for
'Security Options' are the same as what I see when opening the
'Local
Security Policy'. But different from what I see when I open a GPO in
my
domain using the MMC.

Why is this?

My second question is: Where does the text description for the
'Security
Options' come from?

Any help would be greatly appreciated.