Local Security Policy May Not Accurately Reflect Actual System Settings (257922)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q257922 SYMPTOMS
After you apply a custom security policy by using either the secedit /configure command at a command prompt or the
Security Configuration and Analysis tool, not all of the changes may be reflected in the Local Security Policy tool.
CAUSE
Local Security Policy displays local and effective (domain plus local) policies that are in use on the system. Even though a policy may not be defined, Windows 2000 must behave deterministically and always assumes some default system value for the setting. By design, Local Security Policy displays only policies; it does not display these default values.
When you make a change to an underlying system setting that also has a policy definition, Local Security Policy detects the change and updates the local security policy appropriately. When you make a change to an underlying system setting that has no policy definition, the policy definition remains "Not Defined."
RESOLUTION
Use the Security Configuration and Analysis tool to confirm that the custom security policy is being applied appropriately instead of using the Local Security Policy tool.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. MORE INFORMATION
Two examples that illustrate this issue are setting "Rename Guest Account" and "MaximumPasswordAge" in a custom security .inf file and applying them with Secedit.exe.
Because "Rename Guest Account" is not defined in the local security policy, applying a custom policy by using the secedit /configure command or the Security Configuration and Analysis tool results in Local Security Policy not reflecting that this security setting is in use. It is still undefined because for this value, the policy tool reads the policy database file, not the current settings. When you make a change by using the policy tool, the change is recorded in the policy database and later applied to the system. Changes that you make outside of the policy tool are never recorded in the policy database file and are not displayed in the policy tool.
However, applying a custom policy with "MaximumPasswordAge" defined, which is also defined within the local security policy, appears in the Local Security Policy tool. There may be a delay before the change is reflected. To shorten this delay, you can manually force policies to re-apply with 'secedit /refreshpolicy'. After policy successfully finishes processing, reload the security settings in the Local Security Policy tool, and the updated settings will be reflected.
| Modification Type: | Major | Last Reviewed: | 11/20/2003 |
|---|
| Keywords: | kbGPO kbprb kbSecConfigEd KB257922 |
|---|
|