Microsoft KB Archive/914041

= Local policy settings are no longer stored in the local policy database in Windows Server 2003 =

Article ID: 914041

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003 SP1

-





INTRODUCTION
In Microsoft Windows 2000 Server, local policy settings are stored in the security database (Secedit.sdb) before the settings are applied to the system. However, in Microsoft Windows Server 2003, local policy settings are no longer stored in the local security database. If you are unaware of this change in functionality, you may experience unexpected behavior when you use the local policy on a Windows Server 2003-based computer.



MORE INFORMATION
The Windows Server 2003 functionality behind the following actions differs from the corresponding functionality in Windows 2000 Server:
 * Export the local policy settings by using the Secedit.exe command-line utility together with the /export switch.

Because the system can no longer dump the settings from the database, all required security values must be read directly from the system. These values reflect the original operating system installation settings or the subsequent application of any domain-based policies. Therefore, this export operation in Windows Server 2003 accurately reflects the system's settings.

Additionally, the Secedit.exe command combines the /export and /mergedpolicy switches. Therefore, this command no longer yields the expected results. The exported template now contains only the specific settings that are generated by domain policies. No local security settings are listed.
 * View the local policy by using the policy Microsoft Management Console (MMC) snap-in.

Windows Server 2003 makes no differentiation between local policy and domain policy. Therefore, only the effective security settings of the system are displayed in the policy MMC snap-in. The settings that originate from the domain are marked by a different icon in the policy snap-in and cannot be modified. Additionally, no Effective setting column is displayed in the local policy editor, as in Windows 2000 Server.
 * Undefine a policy that was previously defined in the domain.

The security configuration engine in Windows Server 2003 uses a new table in the security database to track any changes to system security. Whenever a domain policy is applied to Windows Server 2003, any local settings on the system are archived in a tattoo table in the database. Thereafter, if a policy is marked as undefined in the domain, the system recovers the archived setting in the tattoo table. Without this tattoo table and without security setting recovery functionality, domain policies would permanently change the system configuration.

For more information about Group Policy settings, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/f546e58e-8473-4985-a05d-0b038dea4a9f1033.mspx

