Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Security Option Settings Are Not Shown in Gpedit.msc After You Apply a Security Template with Secedit.exe on a Standalone Server

Security Option Settings Are Not Shown in Gpedit.msc After You Apply a Security Template with Secedit.exe on a Standalone Server

Symptoms

If you apply a security template by using the secedit /configure command and you then start the Local Group Policy snap-in or you run Gpedit.msc to view the new settings, the old configuration settings may still appear. The Local Group Policy snap-in may not show the new settings from the applied template although the registry keys exist and the policy is working.

This behavior occurs if the secedit /configure command contains settings for the Computer Configuration\Windows Settings\Security Settings\Security Options node (such as Message text for users attempting to log on). Running the secedit /refreshpolicy machine_policy /enforce command does not resolve this behavior. Therefore, you cannot see the actual current settings on the server by using the Local Group Policy snap-in.

This behavior occurs on a Windows 2000-basd server that is part of a Microsoft Windows NT 4.0-based domain, or on a standalone Windows 2000-based server in a workgroup.

↑ Back to the top

Cause

On a computer that does not receive domain policies (such as a server that is joined to a Windows NT 4.0-based domain or is joined to a workgroup), security extensions are not registered with the local Group Policy engine until a change is made in the local security policy editor. A single one-time change will register the extension.

↑ Back to the top

Resolution

To work around this behavior, use either of the following methods.

Method 1

Manually change a policy in the Local Group Policy snap-in one time.

Method 2

If you want to use an automated solution, follow these steps:

  1. Use the following command to apply the security template
    secedit /configure /db databse.sdb /cfg yourtemplate.inf
    where database.sdb is the name of your database and yourtemplate.inf is the security template that you want to apply.


  2. Create a new text file named Gpt.ini. Paste the following text into the Gpt.ini file:
    [General]
    gPCFunctionalityVersion=2
    gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
    Version=4
  3. Save and then close the file.
  4. Replace the existing Gpt.ini file in the %SystemRoot%\System32\GroupPolicy folder on the Windows 2000-based server with the new Gpt.ini file.
  5. At a command prompt, run the following command:
    secedit /refreshpolicy machine_policy /enforce
The information in the new Gpt.ini file registers the security extension with the local Group Policy engine. When you start the Local Group Policy snap-in, the current settings from the security template are shown.

↑ Back to the top

Status

This behavior is by design.

↑ Back to the top

Keywords: kbgrppolicyprob, kbprb, kb

↑ Back to the top

Article Info
Article ID : 329055
Revision : 1
Created on : 1/7/2017
Published on : 6/19/2014
Exists online : False
Views : 101