Solved

Edit special GPO settings

Posted on 2007-12-03
5
4,374 Views
Last Modified: 2013-12-04
I have a special lockdown GPO I created to control workstations in need of heavy security due to PCI requirements. I chose many of the settings in the GPO myself, but I also copied portions from a NSA/MS SSLF template and imported the settings into the GPO.

I noticed that there are some registry settings under Security Options I cannot edit. In the GPMC I can use the settings tab to look in Windows Settings/Security Settings/Local Policies/Security Options/Registry Values and see values such set as MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation or MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection

Now it is not that I do not have permission to edit these, I simply cannot find them listed in the GPO in edit mode. So I thought it might be like using the custom administrative templates setting for disabling USB drives, where you have to change the filtering so you can see the policy settings (View>filtering>uncheck Only Show Policy settings that can be fully managed), but I cannot find anything similar.

So I just do not see a way in the GPMC console to edit these portions of the GPO, but I figure if I got them from a template someone made, then there must be some way to modify them either manually of through a file import. Any ideas? Thanks.
 
0
Comment
Question by:dumamo
  • 2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20400467
There's 3 reasons I can think of:

1)  Those registry keys do not exist on the server where you are attempting to edit the GPO.
2)  You do not have permissions to modify those keys.
3)  The template you have is not correctly written to provide valid values.

0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 20401659
From the Windows Server 2003 Security Guide (which is where I assume you got the MS SSLF template):

Additional registry entries (also called registry values) were created for the baseline security template files that are not defined within the default Administrative Template (.adm) file for the three security environments that are defined in this guide. The .adm files define the policies and restrictions for the desktop, shell, and security for Windows Server 2003.
These registry entries are embedded within the security templates (in the "Security Options" section) to automate the changes. If the policy is removed, these registry entries are not automatically removed with it; they must be manually changed with a registry editing tool such as Regedt32.exe. The same registry entries are applied across all three environments.
This guide includes additional registry entries that are added to the Security Configuration Editor (SCE). To add these registry entries, you need to modify the Sceregvl.inf file (located in the %windir%\inf folder) and re-register the Scecli.dll file. The original security entries, as well as the additional ones, appear under Local Policies\Security in the snap-ins and tools that are listed earlier in this chapter. You will need to update the Sceregvl.inf file and re-register the Scecli.dll file for any computers on which you will edit the security templates and Group Policies that are provided with this guide. Details about how to update these files are provided in the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.
0
 

Author Comment

by:dumamo
ID: 20429212
CoccoBill,
You seem to be on the right track, though I am not getting anywhere with it. :) I think my problem is what Sceregvl.inf do I edit? I was using the GPMC on my Windows XP laptop connected to the AD server. I have looked in both Wndows\INF folders for the file and neither has my settings. There directions above seem to show how they got in there, but since I did not create it am I out of luck with the Sceregvl.inf I need to edit?

BTW I did use the SSLF in Windows Server 2003 Security Guide as a started, but I got these settings from NIST.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20431480
I'm not able to check now and I'm not positive, but I recall that the .inf came with the security guide.
0
 

Author Comment

by:dumamo
ID: 20450767
I had to re-read what you posted and realized I was look at it wrong. I was looking in Sceregvl.inf for the actual values so I could edit them. What I had to do was edit Sceregvl.inf to register the registry values I wanted to show in the GPO through the GPMC. I used my local version of Sceregvl.inf. Thanks!!!!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …
Learn how to create and modify your own paragraph styles in Microsoft Word. This can be helpful when wanting to make consistently referenced styles throughout a document or template.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question