Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Why some secpol.exe buttons on 2003 server are grayed out.

Posted on 2005-05-08
Medium Priority
Last Modified: 2012-06-27
I was trying to change a policy using secpol.exe in 2003 server (to "allow log on through terminal server") but the add button is grayed out.  What is the reason for this?
Question by:r_yague
  • 2
LVL 86

Expert Comment

ID: 13957668
That means that there is a group policy active in your domain that defines this policy. As domain policies override local policies, you can't use the local policy to add users here. You can use gpresult.exe to find out from which policy this setting is coming from, and add the necessary group there.

Author Comment

ID: 13959853
You're right oBdA.  It's the Domain Controller Security Policy that was set.  Can you clarify the difference between the Domain Controller Security Policy and the Domain Security Policy.  Do they have the same effect? If not what takes precedence.  Another seperate question is. Are these 2 Policies associated with the secpol.msc and/or gpedit.msc?  And if they do, which is for secpol.msc and which is for gpedit.msc?

gpresult.exe is new to me...Thanks for the info.  

Expert Comment

ID: 13961821
gpedit.msc is for the local security policy of the machine. A Group Policy Object (GPO) is applied to Local Computer (via Local Policy), Site, Domain and OU in that order  

Like r_yague mentioned, gpresult.exe is a good tool to eveluate effective permission but since you are using Windows 2003 you might as well try using the group policy management console. It lays out the order in which policies are being applied in GUI format. http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
LVL 86

Accepted Solution

oBdA earned 1000 total points
ID: 13962884
There are two standard GPOs created when you setup a new domain:
* the default domain policy, linked to the domain root
* the default domain controller policy, linked to the domain controllers OU
The default domain policy contains domain-wide settings; the domain controller policy contains settings that should only be applied to your DCs. You normally shouldn't edit either of these unless you really know what you're doing. It's better to create additional GPOs and add policies there.
secpol.msc and gpedit.msc only influence the local policies, which, as you've experienced, will be overridden by a group policy defined at a higher level. The security settings you can define in gpedit.msc are exactly the same you can set using secpol.msc; the gpedit console just has the security policy integrated as well. These are just two different MMCs, one of them (gpedit.msc) doing the same and a bit more than the other.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question