locked
Questionable settings? RRS feed

  • Question

  • What does this mean for e.g. Guest account status?

    VBScript

    WScript.Echo "This is questionable setting that can't get data via a easy way"

    If I create a Backup GPO from SCM, import it to AD and link it to XP desktops, will the gest account status be set then?

    If not, are there many similar none working settings?

    Thanks

    Bo Stråhle

     

    Tuesday, February 15, 2011 2:20 PM

Answers

  • Bo;

    I apologize if I didn't make myself clear. I never said configuring the setting wouldn't work. The settings work fine when you export a GPO from SCM and apply it via AD DS or locally using the LPT included with SCM. We were only talking about compliance scanning. The scripts are part of what gets exported into the DCM config pack, the issue does not impact GPO functionality.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by BosseS Friday, February 18, 2011 4:54 PM
    Friday, February 18, 2011 4:44 PM

All replies

  • Its difficult to determine because its not stored in the registry, its not a simple thing you can quickly examine to see whether or not its configure as desired. When you disable or rename the built in accounts you are editing the account stored in the local account database. What if you renamed the built-in account but also created another account called guest, how can I, programmatically, determine whether the guest account is a new one and that the built-in one is disabled as desired? What if you've deleted the original account? These things can be overcome programmatically, but I think the developer who wrote the VBscripts included in SCM didn't fully understand the problem and possible solutions. Things are easier if you use the well-known security identifiers (SIDs) for the built-in accounts. Jeff will have to chime in to let us know when these and other VBscripts will be updated in SCM, its outside of the scope of my current projects at Microsoft.


    Kurt Dillard http://www.kurtdillard.com
    Wednesday, February 16, 2011 10:18 PM
  • Hi Kurt, thank you for answering.

    The question is "Will the account with the built-in Guest SID be enabled if I apply a baseline from SCM where this has been stipulated?” (Yes or No)

    If No, are there other settings in the current MS baselines that don't work? (Please tell me which in such case.)

    Regards

    Bosse

     

    Thursday, February 17, 2011 10:06 AM
  • Bo;

    I apologize if I didn't make myself clear. I never said configuring the setting wouldn't work. The settings work fine when you export a GPO from SCM and apply it via AD DS or locally using the LPT included with SCM. We were only talking about compliance scanning. The scripts are part of what gets exported into the DCM config pack, the issue does not impact GPO functionality.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by BosseS Friday, February 18, 2011 4:54 PM
    Friday, February 18, 2011 4:44 PM
  • Thank you /Bosse
    Friday, February 18, 2011 4:54 PM