Security Option Settings Are Not Shown in Gpedit.msc After You Apply a Security Template with Secedit.exe on a Standalone Server (329055)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
This article was previously published under Q329055

SYMPTOMS

If you apply a security template by using the secedit /configure command and you then start the Local Group Policy snap-in or you run Gpedit.msc to view the new settings, the old configuration settings may still appear. The Local Group Policy snap-in may not show the new settings from the applied template although the registry keys exist and the policy is working.

This behavior occurs if the secedit /configure command contains settings for the Computer Configuration\Windows Settings\Security Settings\Security Options node (such as Message text for users attempting to log on). Running the secedit /refreshpolicy machine_policy /enforce command does not resolve this behavior. Therefore, you cannot see the actual current settings on the server by using the Local Group Policy snap-in.

This behavior occurs on a Windows 2000-basd server that is part of a Microsoft Windows NT 4.0-based domain, or on a standalone Windows 2000-based server in a workgroup.

CAUSE

On a computer that does not receive domain policies (such as a server that is joined to a Windows NT 4.0-based domain or is joined to a workgroup), security extensions are not registered with the local Group Policy engine until a change is made in the local security policy editor. A single one-time change will register the extension.

RESOLUTION

To work around this behavior, use either of the following methods.

Method 1

Manually change a policy in the Local Group Policy snap-in one time.

Method 2

If you want to use an automated solution, follow these steps:
  1. Use the following command to apply the security template

    secedit /configure /db databse.sdb /cfg yourtemplate.inf

    where database.sdb is the name of your database and yourtemplate.inf is the security template that you want to apply.

  2. Create a new text file named Gpt.ini. Paste the following text into the Gpt.ini file:

    [General]
    gPCFunctionalityVersion=2
    gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
    Version=4

  3. Save and then close the file.
  4. Replace the existing Gpt.ini file in the %SystemRoot%\System32\GroupPolicy folder on the Windows 2000-based server with the new Gpt.ini file.
  5. At a command prompt, run the following command:

    secedit /refreshpolicy machine_policy /enforce

The information in the new Gpt.ini file registers the security extension with the local Group Policy engine. When you start the Local Group Policy snap-in, the current settings from the security template are shown.

STATUS

This behavior is by design.
Modification Type:MinorLast Reviewed:10/16/2003
Keywords:kbGRPPOLICYprob kbprb KB329055
©2003 Microsoft Corporation. All rights reserved.