none
LocalGPO problem on non-English windows xp sp3

    Question

  • I'm using chinese windows xp sp3, and want to modify the SCE to display MSS settings by using local policy tool.

    When i launch the following command

    LocalGPO.wsf /configSCE

    in the command prompt, it retruns error. I thought it might be someting wrong in function UpdateSCEwithMSSValues

    But if i reset sce first, then i can config sec to display mss settings

    LocalGPO.wsf /resetSCE

    LocalGPO.wsf /configSCE

    Another issue is that after reseting sce, the local policy of group policys under computer settings changed to english

    The following is the content of sceregvl.inf

    ; (c) Microsoft Corporation 1997-2000
    ;
    ; Security Configuration Template for Security Configuration Editor
    ;
    ; Template Name:        SCERegVl.INF
    ; Template Version:     05.00.DR.0000
    ;
    ; Revision History
    ; 0000  -	Original
    
    [version]
    signature="$CHICAGO$"
    DriverVer=07/01/2001,5.1.2600.5512
    
    [Register Registry Values]
    ;
    ; Syntax: RegPath,RegType,DisplayName,DisplayType,Options
    ; where
    ;	  RegPath:	Includes the registry keypath and value
    ;	  RegType:	1 - REG_SZ, 2 - REG_EXPAND_SZ, 3 - REG_BINARY, 4 - REG_DWORD, 7 - REG_MULTI_SZ
    ; 	  Display Name:	Is a localizable string defined in the [strings] section
    ; 	  Display type:	0 - boolean, 1 - Number, 2 - String, 3 - Choices, 4 - Multivalued, 5 - Bitmask
    ;	  Options:	If Displaytype is 3 (Choices) or 5 (Bitmask), then specify the range of values and corresponding display strings
    ;			in value|displaystring format separated by a comma.
    
    
    MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds,4,%DisableDomainCreds%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous,4,%EveryoneIncludesAnonymous%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest,4,%ForceGuest%,3,0|%Classic%,1|%GuestBased%
    MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse,4,%LimitBlankPasswordUse%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5%
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec,4,%NTLMMinClientSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128%
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec,4,%NTLMMinServerSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128%
    MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner,4,%NoDefaultAdminOwner%,3,0|%DefaultOwner0%,1|%DefaultOwner1%
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM,4,%RestrictAnonymousSAM%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0
    MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,4,%FIPS%,0
    
    MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0
    
    MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine,7,%AllowedPaths%,4
    
    MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive,4,%ObCaseInsensitive%,0
    MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%,0
    MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0
    
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes%
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes,7,%NullPipes%,4
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares,7,%NullShares%,4
    
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0
    
    MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity,4,%LDAPClientIntegrity%,3,0|%LDAPClient0%,1|%LDAPClient1%,2|%LDAPClient2%
    
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge,4,%MaximumPWAge%,1,%Unit-Days%
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange,4,%RefusePWChange%,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0
    
    MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity,4,%LDAPServerIntegrity%,3,1|%LDAPServer1%,2|%LDAPServer2%
    
    MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
    
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId,4,%DontDisplayLockedUserId%,3,1|%LockedUserID0%,2|%LockedUserID1%,3|%LockedUserID2%
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,7,%LegalNoticeText%,4
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption,4,%ScForceOption%,0
    
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon,4,%UndockWithoutLogon%,0
    
    
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0
    
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon,4,%ForceUnlockLogon%,0
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%
    
    MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction,1,%DCOMLaunchRestriction%,2
    MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction,1,%DCOMAccessRestriction%,2
    
    ; delete these values from the UI - Rdr in case NT4 w SCE
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel
    MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers
    MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature
    MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature
    MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword
    MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature
    MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature
    MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword
    MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID
    MACHINE\Software\Microsoft\Non-Driver Signing\Policy
    
    [Strings]
    
    ;================================ Accounts ============================================================================
    ;Specified in UI code - Accounts: Administrator account status
    ;Specified in UI code - Accounts: Guest account status
    ;Specified in UI code - Accounts: Rename administrator account
    ;Specified in UI code - Accounts: Rename guest account
    LimitBlankPasswordUse = "帐户: 使用空白密码的本地帐户只允许进行控制台登录"
    
    
    ;================================ Audit ===============================================================================
    AuditBaseObjects="审计: 对全局系统对象的访问进行审计"
    FullPrivilegeAuditing="审计: 对备份和还原权限的使用进行审计"
    CrashOnAuditFail="审计: 如果无法纪录安全审计则立即关闭系统"
    
    ;================================ Devices =============================================================================
    AllocateDASD="设备: 允许格式化和弹出可移动媒体"
    AllocateDASD0="Administrators"
    AllocateDASD1="Administrators 和 Power Users"
    AllocateDASD2="Administrators 和 Interactive Users"
    AddPrintDrivers="设备: 防止用户安装打印机驱动程序"
    AllocateCDRoms="设备: 只有本地登录的用户才能访问 CD-ROM"
    AllocateFloppies="设备: 只有本地登录的用户才能访问软盘"
    DriverSigning="设备: 未签名驱动程序的安装操作"
    DriverSigning0="默认继续 "
    DriverSigning1="允许安装但发出警告"
    DriverSigning2="禁止安装"
    UndockWithoutLogon="设备: 允许不登录脱离"
    
    ;================================ Domain controller ====================================================================
    SubmitControl="域控制器: 允许服务器操作员计划任务"
    RefusePWChange="域控制器: 拒绝更改机器帐户密码"
    LDAPServerIntegrity = "域控制器: LDAP 服务器签名要求"
    LDAPServer1 = "无"
    LDAPServer2 = "要求签名"
    
    ;================================ Domain member ========================================================================
    DisablePWChange="域控制器: 禁用更改机器帐户密码"
    MaximumPWAge="域控制器: 最长机器帐户密码寿命"
    SignOrSeal="域成员: 对安全通道数据进行数字加密或签名 (总是)"
    SealSecureChannel="域成员: 对安全通道数据进行数字加密 (如果可能)"
    SignSecureChannel="域成员: 对安全通道数据进行数字签名 (如果可能)"
    StrongKey="域成员: 需要强 (Windows 2000 或以上版本) 会话密钥"
    
    ;================================ Interactive logon ====================================================================
    DisableCAD = "交互式登录: 不需要按 CTRL+ALT+DEL"
    DontDisplayLastUserName = "交互式登录: 不显示上次的用户名"
    DontDisplayLockedUserId = "交互式登录: 会话锁定时显示用户信息"
    LockedUserId0 = "用户显示名称、域和用户名"
    LockedUserId1 = "用户只显示名称"
    LockedUserId2 = "不显示用户信息"
    LegalNoticeText = "交互式登录: 用户试图登录时消息文字"
    LegalNoticeCaption = "交互式登录: 用户试图登录时消息标题"
    CachedLogonsCount = "交互式登录: 可被缓冲保存的前次登录个数 (在域控制器不可用的情况下)"
    PasswordExpiryWarning = "交互式登录: 在密码到期前提示用户更改密码"
    ForceUnlockLogon = "交互式登录: 要求域控制器身份验证以脱离工作站"
    ScForceOption = "交互式登录: 要求智能卡"
    ScRemove = "交互式登录: 智能卡移除操作"
    ScRemove0 = "无操作"
    ScRemove1 = "锁定工作站"
    ScRemove2 = "强制注销"
    
    
    ;================================ Microsoft network client =============================================================
    RequireSMBSignRdr="Microsoft 网络客户: 数字签字的通信(总是)"
    EnableSMBSignRdr="Microsoft 网络客户: 数字签字的通信(若服务器同意)"
    EnablePlainTextPassword="Microsoft 网络客户: 发送未加密的密码到第三方 SMB 服务器。"
    
    ;================================ Microsoft network server =============================================================
    AutoDisconnect="Microsoft 网络服务器: 在挂起会话之前所需的空闲时间"
    RequireSMBSignServer="Microsoft 网络服务器: 数字签字的通信(总是)"
    EnableSMBSignServer="Microsoft 网络服务器: 数字签字的通信(若客户同意)"
    EnableForcedLogoff="Microsoft 网络服务器: 当登录时间用完时自动注销用户"
    
    ;================================ Network access =======================================================================
    ;Specified in UI code - Network access: Allow anonymous SID/Name translation
    DisableDomainCreds = "网络访问: 不允许为网络身份验证储存凭据或 .NET Passports"
    RestrictAnonymousSAM = "网络访问: 不允许 SAM 帐户的匿名枚举"
    RestrictAnonymous = "网络访问: 不允许 SAM 帐户和共享的匿名枚举"
    EveryoneIncludesAnonymous = "网络访问: 让“每个人”权限应用于匿名用户"
    NullPipes = "网络访问: 可匿名访问的命名管道"
    NullShares = "网络访问: 可匿名访问的共享"
    AllowedPaths = "网络访问: 可远程访问的注册表路径"
    ForceGuest = "网络访问: 本地帐户的共享和安全模式"
    Classic = "经典 - 本地用户以自己的身份验证"
    GuestBased = "仅来宾 - 本地用户以来宾身份验证"
    
    ;================================ Network security =====================================================================
    ;Specified in UI code - Network security: Enforce logon hour restrictions
    NoLMHash = "网络安全: 不要在下次更改密码时存储 LAN Manager 的 Hash 值"
    LmCompatibilityLevel = "网络安全: LAN Manager 身份验证级别"
    LMCLevel0 = "发送 LM & NTLM 响应"
    LMCLevel1 = "发送 LM & NTLM - 如果已协商,使用 NTLMv2 会话安全"
    LMCLevel2 = "仅发送 NTLM 响应"
    LMCLevel3 = "仅发送 NTLMv2 响应"
    LMCLevel4 = "仅发送 NTLMv2 响应\拒绝 LM"
    LMCLevel5 = "仅发送 NTLMv2 响应\拒绝 LM & NTLM"
    NTLMMinClientSec = "网络安全设置: 基于 NTLM SSP(包括安全 RPC)客户的最小会话安全"
    NTLMMinServerSec = "网络安全设置: 基于 NTLM SSP(包括安全 RPC)服务器的最小会话安全"
    NTLMIntegrity = "要求消息的完整性"
    NTLMConfidentiality = "要求消息的保密性"
    NTLMv2Session = "要求 NTLMv2 会话安全"
    NTLM128 = "要求 128-位 加密"
    LDAPClientIntegrity = "网络安全: LDAP 客户签名要求"
    LDAPClient0 = "无"
    LDAPClient1 = "协商签名"
    LDAPClient2 = "要求签名"
    
    ;================================ Recovery console ====================================================================
    RCAdmin="故障恢复控制台: 允许自动系统管理级登录"
    RCSet="故障恢复控制台: 允许对所有驱动器和文件夹进行软盘复制和访问"
    
    ;================================ Shutdown ============================================================================
    ShutdownWithoutLogon="关机: 允许在未登录前关机"
    ClearPageFileAtShutdown="关机: 清理虚拟内存页面文件"
    
    ProtectionMode = "系统对象: 增强内部系统对象的默认权限 (例如 Symbolic Links)"
    NoDefaultAdminOwner = "系统对象: 由 Administrators 组成员所创建的对象默认所有者"
    DefaultOwner0 = "Administrators group"
    DefaultOwner1 = "Object creator"
    ObCaseInsensitive = "系统对象: 对非 Windows 子系统不要求区分大小写"
    
    ;================================ System cryptography =================================================================
    FIPS="系统加密: 使用 FIPS 兼容的算法来加密,散列和签名"
    
    Unit-Logons="次登录"
    Unit-Days="天"
    Unit-Minutes="分钟"
    
    ;================================ DCOM Machine Restrictions ===========================================================
    DCOMLaunchRestriction="DCOM: 安全描述符定义语言(SDDL)语法中的计算机启动限制"
    DCOMAccessRestriction="DCOM: 安全描述符定义语言(SDDL)语法中的计算机访问限制"
    
    

    Wednesday, October 24, 2012 8:16 AM

Answers

  • Red;

    Unfortunately that feature of LocalGPO only works when running Windows with an English user interface. What you are seeing is expected behavior. However, you can apply the settings using LocalGPO without using the configSCE feature.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, October 24, 2012 4:33 PM
    Owner

All replies

  • Red;

    Unfortunately that feature of LocalGPO only works when running Windows with an English user interface. What you are seeing is expected behavior. However, you can apply the settings using LocalGPO without using the configSCE feature.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, October 24, 2012 4:33 PM
    Owner
  • Thanks, Kurt

    It's too bad, I have to manually configure sec to display mss settings

    I hope LocalGPO can work on Windows with non-English user interface in future

    Regards,

    Red_sc

    Thursday, October 25, 2012 1:03 AM