Local Security Policy - Effective VS Local Settings?
Results 1 to 7 of 7

Thread: Local Security Policy - Effective VS Local Settings?

  1. #1
    Member
    Join Date
    Nov 2004
    Posts
    32

    Local Security Policy - Effective VS Local Settings?

    Can someone clear up a few things about windows security for me?

    If I go through the LSP on a server that is part of a domain and make changes to the Local Settings. Say for example I want to prohibit all null sessions to the box. So I edit
    "Additional restrictions for anonymous connections" and make the relavent change to the Local Setting.

    Now apparently the effective setting will overide the local setting? But when does the local setting ever become relavent? *OR* is it relavent until someone logs into the domain from that machine?

    Also, how is the relationship between the server and the domain/DC formed? How are the LSP settings 'pushed' to the server from the DC? Is this a specifcally an AD/OU thing or can it be done thhrough a more generic method?

  2. #2
    Member
    Join Date
    Dec 2003
    Posts
    97
    First, are you talking about a windows 2000 AD or windows NT?

    In windows 2000, the security settings are pushed through group policy. Be default, each domain has a "default domain policy" that applies to everyone in the domain. That's what pushes your "effective" settings.

    Local settings apply when:

    1) The computer is not part of a domain
    2) The domain policy has a setting of "not configured," which allows the local policy of each computer to apply whatever it thinks best.

    I hope this clears up some of your questions.

  3. #3
    Member
    Join Date
    Nov 2004
    Posts
    32
    It was Windows 2000 I was refering to, thanks!

    How does the computer join the domain though? When the server/machine is turned on and it gets to the login prompt has it joined the domain at that stage? Or is this specifically by logging on with a username/password/domain-name combination? As I would do with my laptop when I'm connecting to a corporate network.

    Also, how can I check/modify/create new entries for the 'effective settings' is this done in the LSP of the DC ?

    Excuse my ignorance I'm more of *nix bod !

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by shakenbake
    It was Windows 2000 I was refering to, thanks!

    How does the computer join the domain though? When the server/machine is turned on and it gets to the login prompt has it joined the domain at that stage? Or is this specifically by logging on with a username/password/domain-name combination? As I would do with my laptop when I'm connecting to a corporate network.

    Also, how can I check/modify/create new entries for the 'effective settings' is this done in the LSP of the DC ?

    Excuse my ignorance I'm more of *nix bod !
    Normally we would flay the skin from your bones for asking such a n00b question, but for bretheren of the hallowed shell, we'll make exceptions.

    All users, computers, devices, etc. in AD are 'objects'. The computer is normally part of the domain, just as is the user account. So when the computer is powered on, it will try to establish communications with its Domain Controller (or others, Windows geeks jump in here). It successful, it is then connected to the Domain and all the policy stuff happens (I know, real technical description there). If it can NOT connect (but has done so in the past) it works in a state of cached settings.

    Does that help?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Member
    Join Date
    Nov 2004
    Posts
    32
    ^ it certainly does!

    So ... is AD a mandatory compent of Windows 2000 to accomplish this task, or is their other means of achieving policy enforcement with 2000 ?

    Also, is their anyway to take the machine that is part of the domain and use the local admin account to ignore the domain/effictive policy and force complience to the local policy?

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by zencoder
    Normally we would flay the skin from your bones for asking such a n00b question, but for bretheren of the hallowed shell, we'll make exceptions.

    All users, computers, devices, etc. in AD are 'objects'. The computer is normally part of the domain, just as is the user account. So when the computer is powered on, it will try to establish communications with its Domain Controller (or others, Windows geeks jump in here). It successful, it is then connected to the Domain and all the policy stuff happens (I know, real technical description there). If it can NOT connect (but has done so in the past) it works in a state of cached settings.

    Does that help?
    Ok, I will (jump in)...

    To become part of a domain, the computer must be added to the domain (if it was not at installation time) by going into right-click my computer, system properties, computer name, change, and enter domain information. A valid domain administrator account username and password will be required in order for windows to create the computer account on the domain controler.

    As for the LSP, if it is part of a domain, the configured settings in the domain security policy overwrite the local ones. If it is not, the local security policy settings take effect. Changes only become effective after reboot.


    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    Member
    Join Date
    Dec 2003
    Posts
    97
    Whether or not you can "override" the domain policy depends entirely on which setting you want to override. The computer-based settings, such as the windows security settings, can't be overridden locally. SInce they apply to the computer, and not the user, it doesn't matter who logs in.

    The user-based settings don't apply to local computer users anyway, only domain user accounts.

    So, shakenbake, what settings areyou concerned about changing? You can also set up separate containers (OUs) in AD and have different policies apply based on which container the computer account is in.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •