I am piloting DHCP nap in production now. I can see in the group policy management console that security center is disabled on domain computers. I tried to turn in on from the local group policy with no luck. I really dont want to have the existing GP changed to enable security center yet. Two odd things here:<br/> <br/> 1. Even though the security center is disabled by the domain GP, it tells me &quot;not configured&quot; when I look at the local group policy.<br/> 2. When I turn it on on the local machine, I still get an error in the logs saying that security center cannot be started because of a software group policy restriction. <br/> <br/> Any thoughts?<br/>   <hr class=sig> Mayur© 2009 Microsoft Corporation. All rights reserved.Tue, 07 Jul 2009 21:16:43 Zd31c600e-b1bc-4a8b-8938-c7d6defc9f18http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#d31c600e-b1bc-4a8b-8938-c7d6defc9f18http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#d31c600e-b1bc-4a8b-8938-c7d6defc9f18Mayur Kirtihttp://social.technet.microsoft.com/Profile/en-US/?user=Mayur%20KirtiI am piloting DHCP nap in production now. I can see in the group policy management console that security center is disabled on domain computers. I tried to turn in on from the local group policy with no luck. I really dont want to have the existing GP changed to enable security center yet. Two odd things here:<br/> <br/> 1. Even though the security center is disabled by the domain GP, it tells me &quot;not configured&quot; when I look at the local group policy.<br/> 2. When I turn it on on the local machine, I still get an error in the logs saying that security center cannot be started because of a software group policy restriction. <br/> <br/> Any thoughts?<br/>   <hr class=sig> MayurThu, 02 Jul 2009 14:44:35 Z2009-07-02T15:08:21Zhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#346aa268-4a8b-423a-90fe-8f4ecb9bd116http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#346aa268-4a8b-423a-90fe-8f4ecb9bd116Greg Lindsayhttp://social.technet.microsoft.com/Profile/en-US/?user=Greg%20Lindsay<p>Hi,</p> <p>You might be looking at a different setting in Group Policy. There is <a href="http://technet.microsoft.com/en-us/library/cc725578(WS.10).aspx">a setting</a> that controls whether or not the Security Center user interface is enabled. This is different from starting or stopping the service. I'm afraid the setting isn't very clear about this.</p> <p>If you want to test DHCP NAP without modifying domain GP, you can use non domain-joined computers, or use a different SHA/SHV than the WSHA/WSHV which requires the Security Center service.<br/><br/>If possible, create a temporary OU for your test. Place your NAP clients in this OU and create a GPO that applies only to this OU. Turn the Security Center service on here it will supercede/override the domain policy. I haven't tried this, but it should work according to <a href="http://technet.microsoft.com/en-us/library/cc778096(WS.10).aspx">Policy Inheritance</a> which states: &quot;If a policy setting that is configured for a parent organizational unit is incompatible with the same policy setting that is configured for a child organizational unit (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied.&quot;<br/><br/>-Greg</p>Fri, 03 Jul 2009 05:03:41 Z2009-07-03T05:03:41Zhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#a7098e53-ecc0-4440-930f-84867350e60bhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#a7098e53-ecc0-4440-930f-84867350e60bMayur Kirtihttp://social.technet.microsoft.com/Profile/en-US/?user=Mayur%20KirtiThanks, this worked. Why does local policy not overwrite the domain policy in this case?<hr class="sig">MayurTue, 07 Jul 2009 21:10:02 Z2009-07-07T21:10:02Zhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#b25a2e56-a689-4923-9067-7e08c0131423http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/d31c600e-b1bc-4a8b-8938-c7d6defc9f18#b25a2e56-a689-4923-9067-7e08c0131423Greg Lindsayhttp://social.technet.microsoft.com/Profile/en-US/?user=Greg%20Lindsay<p>Hi,</p> <p>I'm not sure about all cases, but I think it's designed so that local users can't override domain policy.<br/><br/>-Greg</p>Tue, 07 Jul 2009 21:16:43 Z2009-07-07T21:16:43Z