none
Windows 2003 workstation (not a domain member) and SCM baseline converted to DCM

    Question

  • Hi,

    We have a few servers we want to use DCM against that are not domain members. We have created a baseline in SCM from the WS03-EC-Member-Server baseline and exported it to a GPO backup. Next we used LocalGPO tool to import the settings on to the server. If we use Local Security Setting tool on the server, we can see the setting have been applied correctly. But when we evaluate the server against the DCM baseline created from the same baseline used to create the GPO backup, the server is found to be non-compliant, in fact it doesn't seem to see any of the settings. Does anyone know what might cause this?

    Thursday, February 17, 2011 7:49 PM

All replies

  • If it is showing Non-compliant, is it reporting 0 instances found, or is it finding something that is different than the expected value?
    This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin
    • Marked as answer by Robinson Zhang Tuesday, March 01, 2011 3:18 AM
    • Unmarked as answer by rich1233 Tuesday, March 01, 2011 1:31 PM
    Monday, February 28, 2011 7:03 PM
  • It is showing results other then expected.

     

    For example for the "Audit account logon events" setting, it is looking for the result of "Success", but reporting the current value as "No Audting", eve thoigh when I launch the Local Security settings MMC and look I see the Audit Account logon events is set to "Success"

    Monday, February 28, 2011 7:17 PM
  • This is strange.  I would think if it were a bug it would just not be finding the setting.  The fact that it is discovering a valid result of "No Auditing", it must be getting it from somewhere.

    So, the question is, is this related to rights (DCM runs as system account on the machine), or is it related to local policy vs. domain policy?

    I don't know much about GPO, but that's where I'd start looking.

     

    Kevin


    This posting is provided "AS IS", provides no warranties, and confers no rights. -- Kevin
    Wednesday, March 02, 2011 12:25 AM
  • "I don't know much about GPO, but that's where I'd start looking."

    That is part of the problem, since the PC are not domain members, there is no group policy, only the Local policy.

    Wednesday, March 02, 2011 8:07 PM