Microsoft KB Archive/329055

= Security Option Settings Are Not Shown in Gpedit.msc After You Apply a Security Template with Secedit.exe on a Standalone Server =

Article ID: 329055

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q329055



SYMPTOMS
If you apply a security template by using the secedit /configure command and you then start the Local Group Policy snap-in or you run Gpedit.msc to view the new settings, the old configuration settings may still appear. The Local Group Policy snap-in may not show the new settings from the applied template although the registry keys exist and the policy is working.

This behavior occurs if the secedit /configure command contains settings for the Computer Configuration\Windows Settings\Security Settings\Security Options node (such as Message text for users attempting to log on). Running the secedit /refreshpolicy machine_policy /enforce command does not resolve this behavior. Therefore, you cannot see the actual current settings on the server by using the Local Group Policy snap-in.

This behavior occurs on a Windows 2000-basd server that is part of a Microsoft Windows NT 4.0-based domain, or on a standalone Windows 2000-based server in a workgroup.



CAUSE
On a computer that does not receive domain policies (such as a server that is joined to a Windows NT 4.0-based domain or is joined to a workgroup), security extensions are not registered with the local Group Policy engine until a change is made in the local security policy editor. A single one-time change will register the extension.



RESOLUTION
To work around this behavior, use either of the following methods.

Method 1
Manually change a policy in the Local Group Policy snap-in one time.

Method 2
If you want to use an automated solution, follow these steps:  Use the following command to apply the security template

secedit /configure /db .sdb /cfg  .inf

where .sdb is the name of your database and  .inf is the security template that you want to apply.

 Create a new text file named Gpt.ini. Paste the following text into the Gpt.ini file:

[General]

gPCFunctionalityVersion=2

gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]

Version=4

 Save and then close the file. Replace the existing Gpt.ini file in the %SystemRoot%\System32\GroupPolicy folder on the Windows 2000-based server with the new Gpt.ini file. At a command prompt, run the following command:

secedit /refreshpolicy machine_policy /enforce



The information in the new Gpt.ini file registers the security extension with the local Group Policy engine. When you start the Local Group Policy snap-in, the current settings from the security template are shown.

<div class="status_section">

STATUS
This behavior is by design.

Keywords: kbprb kbgrppolicyprob KB329055

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.