none
How to manage local security policy?

    Question

  • hi wont to manage the local security policy (secpol.msc) on windows 2008 core.
    Through windows vista or 2008 full, i can not get connected because the "connect to" option is missing.
    How can i manage the local security policy through on another PC?
    How can i manage the local security policy through windows 2008 core console?
    thank's a lot
    regards
    Mirko
    Friday, August 01, 2008 11:33 AM

Answers

  •  

    Hi Mirko,

     

    To configure password complexity policy on a server core machine, you can first setup the security policy on a Windows Server 2008 full edition, export the configured policy to a .inf file, and then use the “secedit” tool to import the group policy to the Server Core computer.

     

    On reference computer

    ------------------------------

    1.       Click Start -> Run, type “secpol.msc”, to open the Security Policy tool.

    2.       Configure the Password Policy as required.

    3.       Right click “Security Settings”, and click “Export Policy…” to export the settings to a .inf file.

    4.       Copy the .inf file to the server core computer.

     

    On Server Core computer

    -------------------------------

    Run the following command to import the policy file:

     

    Secedit /configure /db secedit.sdb /cfg <Path to the exported .inf file>


    Laura Zhang - MSFT
    Tuesday, August 05, 2008 4:06 AM

All replies

  • Perform the following steps to configure the Local Settings on a remote machine from a Windows Vista machine: (works with Server Core installations of Windows Server 2008)
        
    1. Ensure the firewall on the remote machine permits the traffic.
    2. If you're using different user names and/or passwords on both machines use cmdkey.exe to store these credentials.
    3. Press start and type mmc.exe followed by [ctrl] + [shift] + [enter]
      (when UAC is enabled allow it to run as administrator)
    4. In the Microsoft Management Console go to the File menu and select Add/Remove Snap-In...
    5. Select the Group Policy Object Editor from the list on the left and press the Add> button.
    6. In the Welcome to the Group Policy Wizard press the Browse button.
    7. Select Another computer and type the name or IP address of the remote machine
    8. Press OK
    9. Press Finish
    10. Press OK

    You can now manage the local policy on the remote computer.
    You can save the Management Console if you wish by using the Save option from the File menu.

    Friday, August 01, 2008 12:33 PM
  • thank you
    I know thos steps, but i can not manage the "local security policy" in this way.
    I wont, simply, disable the password complexity policy.
    thank's
    Mirko
    Friday, August 01, 2008 2:33 PM
  •  

    Hi Mirko,

     

    To configure password complexity policy on a server core machine, you can first setup the security policy on a Windows Server 2008 full edition, export the configured policy to a .inf file, and then use the “secedit” tool to import the group policy to the Server Core computer.

     

    On reference computer

    ------------------------------

    1.       Click Start -> Run, type “secpol.msc”, to open the Security Policy tool.

    2.       Configure the Password Policy as required.

    3.       Right click “Security Settings”, and click “Export Policy…” to export the settings to a .inf file.

    4.       Copy the .inf file to the server core computer.

     

    On Server Core computer

    -------------------------------

    Run the following command to import the policy file:

     

    Secedit /configure /db secedit.sdb /cfg <Path to the exported .inf file>


    Laura Zhang - MSFT
    Tuesday, August 05, 2008 4:06 AM
  • Thank's Laura!!
    Mirko
    Saturday, August 09, 2008 7:56 PM
  • Laura,
        This is one of those things that appears to work, but doesn't.  I followed your steps, and configured the account lockout to lock the account after 10 bad attempts.  However, Remote Desktop seems to allow me to try any number of attempts with no lockout.  Any ideas?

    Donald Roy Airey
    Thursday, October 09, 2008 2:55 PM
  • I have the same problem; I've copied a test security template to the core server installation. When I try to import the inf file, or even analyze the current database, I get no error msg and just a standard output on how the command should be executed:

    C:\Windows\security\database>secedit /configure /db secedit.sdb /cfg securityPolicy.inf

    Allows you to configure a system with security settings stored in a database.

    The syntax of this command is:

    secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/log filename]
    [/quiet]

                /db filename - Specifies the database used to perform the security configuration.

                /cfg filename - Specifies a security template to import into the database prior to confi
    guring the computer. Security templates are created using the Security Templates snap-in.

                /overwrite - Specifies that the database should be emptied prior to importing the securi
    ty template. If this parameter is not specified, the settings in the security template are accumulat
    ed into the database.  If this parameter is not specified and there are conflicting settings in the
    database and the template being imported, the template settings win.

                /areas - Specifies the security areas to be applied to the system. If this parameter is
    not specified, all security settings defined in the database are applied to the system. To configure
     multiple areas, separate each area by a space.  The following security areas are supported:

                            SECURITYPOLICY - Includes Account Policies, Audit Policies, Event Log Settin
    gs and Security Options.
                            GROUP_MGMT - Includes Restricted Group settings
                            USER_RIGHTS - Includes User Rights Assignment
                            REGKEYS - Includes Registry Permissions
                            FILESTORE - Includes File System permissions
                            SERVICES - Includes System Service settings

                /log filename - Specifies a file in which to log the status of the configuration process
    .  If not specified, configuration processing information is logged in the scesrv.log file which is
    located in the %windir%\security\logs directory.

                /quiet - Specifies that the configuration process should take place without prompting th
    e user for any confirmation.

    Example:

    secedit /configure /db hisecws.sdb /cfg hisecws.inf /overwrite /log hisecws.log

    For all filenames, the current directory is used if no path is specified.


    Please advice!
    Monday, November 10, 2008 7:52 AM
  • I am having the same troubles has anyone found out a solution yet? I can import as much as I want but the default database never changes it's settings. I am new to server core and must be able to change the settings.

    Thanks
    Thursday, January 15, 2009 1:24 PM
  • Try this:
    secedit /import /db C:\Windows\security\database\secedit.sdb /cfg C:\<YOURTEMPLATE>.inf" /overwrite /quiet
    Thursday, January 15, 2009 1:32 PM
  • Doesn't seem to work either, the strange thing is when I export the DB there isn't really anything in it:

    secedit /export /db %windir%\security\database\secedit.sdb /cfg C:\_Downloads\InitialSecurity.inf 

    My InitialSecurity.inf contains this:

    [Unicode]  
    Unicode=yes 
    [Version]  
    signature="$CHICAGO$" 
    Revision=1 
    [Profile Description]  
    Description=Default Security Settings. (Windows Server)   
     

    Now on the other hand if I run the secedit /export withouth a /db parameter my export looks like this:

    secedit /export /cfg C:\_Downloads\InitialSecurityNoDBParam.inf  

    InitialSecurityNoDBParam.inf:

    [Unicode]  
    Unicode=yes 
    [System Access]  
    MinimumPasswordAge = 0 
    MaximumPasswordAge = 42 
    MinimumPasswordLength = 0 
    PasswordComplexity = 1 
    PasswordHistorySize = 0 
    LockoutBadCount = 0 
    RequireLogonToChangePassword = 0 
    ForceLogoffWhenHourExpire = 0 
    NewAdministratorName = "Administrator" 
    NewGuestName = "Guest" 
    ClearTextPassword = 0 
    LSAAnonymousNameLookup = 0 
    EnableAdminAccount = 1 
    EnableGuestAccount = 0 
    [Event Audit]  
    AuditSystemEvents = 0 
    AuditLogonEvents = 0 
    AuditObjectAccess = 0 
    AuditPrivilegeUse = 0 
    AuditPolicyChange = 0 
    AuditAccountManage = 0 
    AuditProcessTracking = 0 
    AuditDSAccess = 0 
    AuditAccountLogon = 0 
    [Registry Values]  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"25"  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14  
    MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,2  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1  
    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0  
    MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1  
    MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3  
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1  
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0  
    MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1  
    MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1  
    MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion  
    MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog  
    MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1  
    MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0  
    MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1  
    MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,browser  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0  
    MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1  
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0  
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1  
    MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0  
    MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1  
    MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1  
    [Privilege Rights]  
    SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551  
    SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551  
    SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551  
    SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544  
    SeCreatePagefilePrivilege = *S-1-5-32-544  
    SeDebugPrivilege = *S-1-5-32-544  
    SeRemoteShutdownPrivilege = *S-1-5-32-544  
    SeAuditPrivilege = *S-1-5-19,*S-1-5-20  
    SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544  
    SeIncreaseBasePriorityPrivilege = *S-1-5-32-544  
    SeLoadDriverPrivilege = *S-1-5-32-544  
    SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559  
    SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551  
    SeSecurityPrivilege = *S-1-5-32-544  
    SeSystemEnvironmentPrivilege = *S-1-5-32-544  
    SeProfileSingleProcessPrivilege = *S-1-5-32-544  
    SeSystemProfilePrivilege = *S-1-5-32-544  
    SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20  
    SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551  
    SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-551  
    SeTakeOwnershipPrivilege = *S-1-5-32-544  
    SeUndockPrivilege = *S-1-5-32-544  
    SeManageVolumePrivilege = *S-1-5-32-544  
    SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555  
    SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6  
    SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6  
    SeIncreaseWorkingSetPrivilege = *S-1-5-32-545  
    SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544  
    SeCreateSymbolicLinkPrivilege = *S-1-5-32-544  
    [Version]  
    signature="$CHICAGO$" 
    Revision=1 
     


    Does anyone have any Ideas?
    Friday, January 16, 2009 5:56 AM
  • Hi,

    You need to use the /configure option of secedit, for example:
        secedit /configure /db secedit.sdb /cfg sctest.inf /overwrite

    Hope that helps,

    Andrew
    • Proposed as answer by maeh Monday, January 19, 2009 5:57 AM
    Friday, January 16, 2009 5:48 PM
  • Andrew Mason - MSFT said:

    Hi,

    You need to use the /configure option of secedit, for example:
        secedit /configure /db secedit.sdb /cfg sctest.inf /overwrite

    Hope that helps,

    Andrew



    This worked!!

    So I first exported the secdb without the /db param. Then I edited the [System Access] Portion with the information I had from a Full 2k8 Installation and then with the /configure like Andrew said I reconfigured it.

    When I then did an export of the secdb without the /db param my changes came up!

    Greatly appreciated!!
    Cedric
    Monday, January 19, 2009 5:58 AM
  • Hello,

    I am also trying to do the same thing, but it is not working,below are the steps i tried.

    On reference computer

    ------------------------------

    1.       Click Start -> Run, type “secpol.msc”, to open the Security Policy tool.

    2.       Configure the Password Policy as required.

    3.       Right click “Security Settings”, and click “Export Policy…” to export the settings to a .inf file.

    4.       Copy the .inf file to the server core computer.

    On R2 core machine  i executed
    secedit /configure /db secedit.sdb /cfg sctest.inf /overwrite

    It says it has completed successfully.
    But i am not able to do the required task.
    can you please help me.

    Tuesday, February 23, 2010 4:33 AM
  • Hi Shailesh

    Did you try exproting the configuration on the Core machine and then copy the content of your settings.inf file into the one you just exported from the core? Saving that and then importing that one? So adding on to your steps you would to:

    5. on the core system type the following command to export the current security policy (you can change the path to any you want): secedit /export /cfg C:\Security.inf
    6. Open the newly exported Security.inf with notepad
    7. Open the exported Security.inf that you exported from the Full installation of Windows with Notepad
    8. Copy Contents from Step 7 into Step 6 Security.inf file
    9. Safe tha changes to the core inf file
    10. run following command to import again: secedit /configure /db secedit.sdb /cfg Security.inf /overwrite

    try to see if that works
    Tuesday, February 23, 2010 5:24 AM
  • Thanks a lot its working fine now I did the following things 1.Do the required settings on Windows 2008 R2 machine 2.export the settings 3.import the settings on the core machine 4.Restart the core machine. it works !!!
    Tuesday, February 23, 2010 9:37 AM