Local Security Policy - Effective VS Local Settings?

[shakenbake]

Can someone clear up a few things about windows security for me?

If I go through the LSP on a server that is part of a domain and make changes to the Local Settings. Say for example I want to prohibit all null sessions to the box. So I edit
"Additional restrictions for anonymous connections" and make the relavent change to the Local Setting.

Now apparently the effective setting will overide the local setting? But when does the local setting ever become relavent? *OR* is it relavent until someone logs into the domain from that machine?

Also, how is the relationship between the server and the domain/DC formed? How are the LSP settings 'pushed' to the server from the DC? Is this a specifcally an AD/OU thing or can it be done thhrough a more generic method?

[Timmy77]

First, are you talking about a windows 2000 AD or windows NT?

In windows 2000, the security settings are pushed through group policy. Be default, each domain has a "default domain policy" that applies to everyone in the domain. That's what pushes your "effective" settings.

Local settings apply when:

1) The computer is not part of a domain
2) The domain policy has a setting of "not configured," which allows the local policy of each computer to apply whatever it thinks best.

I hope this clears up some of your questions.

[shakenbake]

It was Windows 2000 I was refering to, thanks!

How does the computer join the domain though? When the server/machine is turned on and it gets to the login prompt has it joined the domain at that stage? Or is this specifically by logging on with a username/password/domain-name combination? As I would do with my laptop when I'm connecting to a corporate network.

Also, how can I check/modify/create new entries for the 'effective settings' is this done in the LSP of the DC ?

Excuse my ignorance I'm more of *nix bod !

[zencoder]

Originally posted here by shakenbake
It was Windows 2000 I was refering to, thanks!

How does the computer join the domain though? When the server/machine is turned on and it gets to the login prompt has it joined the domain at that stage? Or is this specifically by logging on with a username/password/domain-name combination? As I would do with my laptop when I'm connecting to a corporate network.

Also, how can I check/modify/create new entries for the 'effective settings' is this done in the LSP of the DC ?

Excuse my ignorance I'm more of *nix bod !

Normally we would flay the skin from your bones for asking such a n00b question, but for bretheren of the hallowed shell, we'll make exceptions.

All users, computers, devices, etc. in AD are 'objects'. The computer is normally part of the domain, just as is the user account. So when the computer is powered on, it will try to establish communications with its Domain Controller (or others, Windows geeks jump in here). It successful, it is then connected to the Domain and all the policy stuff happens (I know, real technical description there). If it can NOT connect (but has done so in the past) it works in a state of cached settings.

Does that help?

[shakenbake]

^ it certainly does!

So ... is AD a mandatory compent of Windows 2000 to accomplish this task, or is their other means of achieving policy enforcement with 2000 ?

Also, is their anyway to take the machine that is part of the domain and use the local admin account to ignore the domain/effictive policy and force complience to the local policy?

[ammo]

Originally posted here by zencoder
Normally we would flay the skin from your bones for asking such a n00b question, but for bretheren of the hallowed shell, we'll make exceptions.

All users, computers, devices, etc. in AD are 'objects'. The computer is normally part of the domain, just as is the user account. So when the computer is powered on, it will try to establish communications with its Domain Controller (or others, Windows geeks jump in here). It successful, it is then connected to the Domain and all the policy stuff happens (I know, real technical description there). If it can NOT connect (but has done so in the past) it works in a state of cached settings.

Does that help?

Ok, I will (jump in)...

To become part of a domain, the computer must be added to the domain (if it was not at installation time) by going into right-click my computer, system properties, computer name, change, and enter domain information. A valid domain administrator account username and password will be required in order for windows to create the computer account on the domain controler.

As for the LSP, if it is part of a domain, the configured settings in the domain security policy overwrite the local ones. If it is not, the local security policy settings take effect. Changes only become effective after reboot.


Ammo

[Timmy77]

Whether or not you can "override" the domain policy depends entirely on which setting you want to override. The computer-based settings, such as the windows security settings, can't be overridden locally. SInce they apply to the computer, and not the user, it doesn't matter who logs in.

The user-based settings don't apply to local computer users anyway, only domain user accounts.

So, shakenbake, what settings areyou concerned about changing? You can also set up separate containers (OUs) in AD and have different policies apply based on which container the computer account is in.