locked
Security Center Service on Domain Computer RRS feed

  • Question

  • I am piloting DHCP nap in production now. I can see in the group policy management console that security center is disabled on domain computers. I tried to turn in on from the local group policy with no luck. I really dont want to have the existing GP changed to enable security center yet. Two odd things here:

    1. Even though the security center is disabled by the domain GP, it tells me "not configured" when I look at the local group policy.
    2. When I turn it on on the local machine, I still get an error in the logs saying that security center cannot be started because of a software group policy restriction.

    Any thoughts?
     
    Mayur
    Thursday, July 2, 2009 2:44 PM

Answers

  • Hi,

    You might be looking at a different setting in Group Policy. There is a setting that controls whether or not the Security Center user interface is enabled. This is different from starting or stopping the service. I'm afraid the setting isn't very clear about this.

    If you want to test DHCP NAP without modifying domain GP, you can use non domain-joined computers, or use a different SHA/SHV than the WSHA/WSHV which requires the Security Center service.

    If possible, create a temporary OU for your test. Place your NAP clients in this OU and create a GPO that applies only to this OU. Turn the Security Center service on here it will supercede/override the domain policy. I haven't tried this, but it should work according to Policy Inheritance which states: "If a policy setting that is configured for a parent organizational unit is incompatible with the same policy setting that is configured for a child organizational unit (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied."

    -Greg

    Friday, July 3, 2009 5:03 AM

All replies

  • Hi,

    You might be looking at a different setting in Group Policy. There is a setting that controls whether or not the Security Center user interface is enabled. This is different from starting or stopping the service. I'm afraid the setting isn't very clear about this.

    If you want to test DHCP NAP without modifying domain GP, you can use non domain-joined computers, or use a different SHA/SHV than the WSHA/WSHV which requires the Security Center service.

    If possible, create a temporary OU for your test. Place your NAP clients in this OU and create a GPO that applies only to this OU. Turn the Security Center service on here it will supercede/override the domain policy. I haven't tried this, but it should work according to Policy Inheritance which states: "If a policy setting that is configured for a parent organizational unit is incompatible with the same policy setting that is configured for a child organizational unit (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied."

    -Greg

    Friday, July 3, 2009 5:03 AM
  • Thanks, this worked. Why does local policy not overwrite the domain policy in this case?
    Mayur
    Tuesday, July 7, 2009 9:10 PM
  • Hi,

    I'm not sure about all cases, but I think it's designed so that local users can't override domain policy.

    -Greg

    Tuesday, July 7, 2009 9:16 PM