Microsoft KB Archive/295655

= Programmatic Changes to LSA Policy Appear in Group Policy or Local Security Policy =

Article ID: 295655

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q295655



SUMMARY
When a program makes changes to the LSA policy on a Windows 2000 domain controller (DC) by calling LSA APIs, those changes are reflected in the Default Domain Controllers policy.

When a program makes changes to the LSA policy on a Windows 2000 member server or workstation by calling LSA APIs, those changes are reflected in that computer's Local Security policy.



MORE INFORMATION
Calls to the LSA APIs are intercepted by the Security Configuration Engine and incorporated into the appropriate policy. On DCs, changes are made to the Default Domain Controllers policy. On member servers and workstations, the changes are incorporated into the Local Security policy database and integrated with the group policy from the domain.

This is done for program compatibility purposes. Because group policies override local policies, an installed program that required a specific LSA policy change (such as adding an account or group to a user right) would start to malfunction if the group policy ignored the changes made by the program. Because of this, LSA policy changes are intercepted and integrated.

Additional query words: application

Keywords: kbenv kbinfo kbui KB295655

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.