none
Bug? Policy only allows decimal values and can't handle required hex size

    Question

  • Trying to set a policy for Network Security: Configure encryption types allowed for Kerberos” from Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options This setting has a checkbox for several methods which is saved in the registry as a hex string. When I try to import that setting into SCM via GPOimport (I don't think it was there to start), the configured value box is limited to taking a value of 0-9999. The imported policy shows a decimal number of 10 digits, but when added to my baseline, I can't add that 10 digit number. Need either the ability to specify hex if the registry requires it or be able to enter the decimal value?
    Tuesday, December 06, 2011 5:09 PM

Answers

  • Looks like a bug, I thought we implemented that as a drop-down list in SCM so that you could select any of the combinations of encryption methods. Not sure where things went sideways with it, I'll have to research it.
    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by skapinos Tuesday, December 06, 2011 11:22 PM
    Tuesday, December 06, 2011 11:10 PM
    Owner

All replies

  • Looks like a bug, I thought we implemented that as a drop-down list in SCM so that you could select any of the combinations of encryption methods. Not sure where things went sideways with it, I'll have to research it.
    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by skapinos Tuesday, December 06, 2011 11:22 PM
    Tuesday, December 06, 2011 11:10 PM
    Owner
  • It should probably be the checkboxes like the GPObject editor is, else the # of combinations is too high for a drop down list. 

     

    Question is, is there anyway to import a GPO into SCM and merge with a baseline without losing the existing value?  Or should I export the baseline from SCM, and then edit the GPO in the full GPOEditor.

    I suppose I can just layer the GPOs onto the target machine thanks to LocalGPO tool, but I'm trying to get one package in SCM if possible as it's a nice UI to organize, review, etc in.

    Tuesday, December 06, 2011 11:22 PM
  • I agree that the list would be too long Skapinos, but SCM and our internal tools have limitations and right now we can't implement checkboxes the way the group policy editor does.

     

    You should be able to define the setting in a GPO in the GPMC, create a backup of the GPO, then import the GPO into SCM, and finally merge it into an existing baseline.


    Kurt Dillard http://www.kurtdillard.com
    Wednesday, December 07, 2011 8:17 PM
    Owner
  • Ok, I will explore that.  I've defaulted to going to a domain member now, loading GPMC, loading in my GPOExport from SCM, tweaking, backing up in GPMC, and applying to the target using LocalGPO.

     

    I would have liked to avoid going to GPMC but that was the crutch for now.  I will explore if importing the GPO back into SCM will work for ongoing upkeep.  I wasn't having success earlier with tweaking on the target machine, exporting via localGPO and importing into SCM.. but there may have been other factors getting my wires crossed.  I think earlier what I was trying to do was import, associate to the OS, and then ADD the setting to my baseline.  That causes the imported configured value to be lost.  But if I merge, I can keep the imported setting.  Merging is harder because I must merge ALL settings vs cherry picking.  But I'm starting to learn the ins and outs that make it easier to get to the end goal.

    Wednesday, December 07, 2011 9:12 PM