Why some secpol.exe buttons on 2003 server are grayed out.

Posted on 2005-05-08
Last Modified: 2012-06-27
I was trying to change a policy using secpol.exe in 2003 server (to "allow log on through terminal server") but the add button is grayed out.  What is the reason for this?
Question by:r_yague
    LVL 82

    Expert Comment

    That means that there is a group policy active in your domain that defines this policy. As domain policies override local policies, you can't use the local policy to add users here. You can use gpresult.exe to find out from which policy this setting is coming from, and add the necessary group there.

    Author Comment

    You're right oBdA.  It's the Domain Controller Security Policy that was set.  Can you clarify the difference between the Domain Controller Security Policy and the Domain Security Policy.  Do they have the same effect? If not what takes precedence.  Another seperate question is. Are these 2 Policies associated with the secpol.msc and/or gpedit.msc?  And if they do, which is for secpol.msc and which is for gpedit.msc?

    gpresult.exe is new to me...Thanks for the info.  
    LVL 2

    Expert Comment

    gpedit.msc is for the local security policy of the machine. A Group Policy Object (GPO) is applied to Local Computer (via Local Policy), Site, Domain and OU in that order  

    Like r_yague mentioned, gpresult.exe is a good tool to eveluate effective permission but since you are using Windows 2003 you might as well try using the group policy management console. It lays out the order in which policies are being applied in GUI format.
    LVL 82

    Accepted Solution

    There are two standard GPOs created when you setup a new domain:
    * the default domain policy, linked to the domain root
    * the default domain controller policy, linked to the domain controllers OU
    The default domain policy contains domain-wide settings; the domain controller policy contains settings that should only be applied to your DCs. You normally shouldn't edit either of these unless you really know what you're doing. It's better to create additional GPOs and add policies there.
    secpol.msc and gpedit.msc only influence the local policies, which, as you've experienced, will be overridden by a group policy defined at a higher level. The security settings you can define in gpedit.msc are exactly the same you can set using secpol.msc; the gpedit console just has the security policy integrated as well. These are just two different MMCs, one of them (gpedit.msc) doing the same and a bit more than the other.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now