Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Edit special GPO settings

Posted on 2007-12-03
5
Medium Priority
?
4,597 Views
Last Modified: 2013-12-04
I have a special lockdown GPO I created to control workstations in need of heavy security due to PCI requirements. I chose many of the settings in the GPO myself, but I also copied portions from a NSA/MS SSLF template and imported the settings into the GPO.

I noticed that there are some registry settings under Security Options I cannot edit. In the GPMC I can use the settings tab to look in Windows Settings/Security Settings/Local Policies/Security Options/Registry Values and see values such set as MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation or MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection

Now it is not that I do not have permission to edit these, I simply cannot find them listed in the GPO in edit mode. So I thought it might be like using the custom administrative templates setting for disabling USB drives, where you have to change the filtering so you can see the policy settings (View>filtering>uncheck Only Show Policy settings that can be fully managed), but I cannot find anything similar.

So I just do not see a way in the GPMC console to edit these portions of the GPO, but I figure if I got them from a template someone made, then there must be some way to modify them either manually of through a file import. Any ideas? Thanks.
 
0
Comment
Question by:dumamo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20400467
There's 3 reasons I can think of:

1)  Those registry keys do not exist on the server where you are attempting to edit the GPO.
2)  You do not have permissions to modify those keys.
3)  The template you have is not correctly written to provide valid values.

0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 20401659
From the Windows Server 2003 Security Guide (which is where I assume you got the MS SSLF template):

Additional registry entries (also called registry values) were created for the baseline security template files that are not defined within the default Administrative Template (.adm) file for the three security environments that are defined in this guide. The .adm files define the policies and restrictions for the desktop, shell, and security for Windows Server 2003.
These registry entries are embedded within the security templates (in the "Security Options" section) to automate the changes. If the policy is removed, these registry entries are not automatically removed with it; they must be manually changed with a registry editing tool such as Regedt32.exe. The same registry entries are applied across all three environments.
This guide includes additional registry entries that are added to the Security Configuration Editor (SCE). To add these registry entries, you need to modify the Sceregvl.inf file (located in the %windir%\inf folder) and re-register the Scecli.dll file. The original security entries, as well as the additional ones, appear under Local Policies\Security in the snap-ins and tools that are listed earlier in this chapter. You will need to update the Sceregvl.inf file and re-register the Scecli.dll file for any computers on which you will edit the security templates and Group Policies that are provided with this guide. Details about how to update these files are provided in the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.
0
 

Author Comment

by:dumamo
ID: 20429212
CoccoBill,
You seem to be on the right track, though I am not getting anywhere with it. :) I think my problem is what Sceregvl.inf do I edit? I was using the GPMC on my Windows XP laptop connected to the AD server. I have looked in both Wndows\INF folders for the file and neither has my settings. There directions above seem to show how they got in there, but since I did not create it am I out of luck with the Sceregvl.inf I need to edit?

BTW I did use the SSLF in Windows Server 2003 Security Guide as a started, but I got these settings from NIST.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20431480
I'm not able to check now and I'm not positive, but I recall that the .inf came with the security guide.
0
 

Author Comment

by:dumamo
ID: 20450767
I had to re-read what you posted and realized I was look at it wrong. I was looking in Sceregvl.inf for the actual values so I could edit them. What I had to do was edit Sceregvl.inf to register the registry values I wanted to show in the GPO through the GPMC. I used my local version of Sceregvl.inf. Thanks!!!!
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Learn how to create and modify your own paragraph styles in Microsoft Word. This can be helpful when wanting to make consistently referenced styles throughout a document or template.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question