Solved

Edit special GPO settings

Posted on 2007-12-03
5
4,234 Views
Last Modified: 2013-12-04
I have a special lockdown GPO I created to control workstations in need of heavy security due to PCI requirements. I chose many of the settings in the GPO myself, but I also copied portions from a NSA/MS SSLF template and imported the settings into the GPO.

I noticed that there are some registry settings under Security Options I cannot edit. In the GPMC I can use the settings tab to look in Windows Settings/Security Settings/Local Policies/Security Options/Registry Values and see values such set as MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation or MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection

Now it is not that I do not have permission to edit these, I simply cannot find them listed in the GPO in edit mode. So I thought it might be like using the custom administrative templates setting for disabling USB drives, where you have to change the filtering so you can see the policy settings (View>filtering>uncheck Only Show Policy settings that can be fully managed), but I cannot find anything similar.

So I just do not see a way in the GPMC console to edit these portions of the GPO, but I figure if I got them from a template someone made, then there must be some way to modify them either manually of through a file import. Any ideas? Thanks.
 
0
Comment
Question by:dumamo
  • 2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
There's 3 reasons I can think of:

1)  Those registry keys do not exist on the server where you are attempting to edit the GPO.
2)  You do not have permissions to modify those keys.
3)  The template you have is not correctly written to provide valid values.

0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
Comment Utility
From the Windows Server 2003 Security Guide (which is where I assume you got the MS SSLF template):

Additional registry entries (also called registry values) were created for the baseline security template files that are not defined within the default Administrative Template (.adm) file for the three security environments that are defined in this guide. The .adm files define the policies and restrictions for the desktop, shell, and security for Windows Server 2003.
These registry entries are embedded within the security templates (in the "Security Options" section) to automate the changes. If the policy is removed, these registry entries are not automatically removed with it; they must be manually changed with a registry editing tool such as Regedt32.exe. The same registry entries are applied across all three environments.
This guide includes additional registry entries that are added to the Security Configuration Editor (SCE). To add these registry entries, you need to modify the Sceregvl.inf file (located in the %windir%\inf folder) and re-register the Scecli.dll file. The original security entries, as well as the additional ones, appear under Local Policies\Security in the snap-ins and tools that are listed earlier in this chapter. You will need to update the Sceregvl.inf file and re-register the Scecli.dll file for any computers on which you will edit the security templates and Group Policies that are provided with this guide. Details about how to update these files are provided in the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.
0
 

Author Comment

by:dumamo
Comment Utility
CoccoBill,
You seem to be on the right track, though I am not getting anywhere with it. :) I think my problem is what Sceregvl.inf do I edit? I was using the GPMC on my Windows XP laptop connected to the AD server. I have looked in both Wndows\INF folders for the file and neither has my settings. There directions above seem to show how they got in there, but since I did not create it am I out of luck with the Sceregvl.inf I need to edit?

BTW I did use the SSLF in Windows Server 2003 Security Guide as a started, but I got these settings from NIST.
0
 
LVL 19

Expert Comment

by:CoccoBill
Comment Utility
I'm not able to check now and I'm not positive, but I recall that the .inf came with the security guide.
0
 

Author Comment

by:dumamo
Comment Utility
I had to re-read what you posted and realized I was look at it wrong. I was looking in Sceregvl.inf for the actual values so I could edit them. What I had to do was edit Sceregvl.inf to register the registry values I wanted to show in the GPO through the GPMC. I used my local version of Sceregvl.inf. Thanks!!!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now