Resolving security discrepancies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Resolving security discrepancies

You can resolve discrepancies between analysis database and system settings by:

  • Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the base and applied to the system when you click Configure Computer Now. For more information, see Edit the analysis database.

  • Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. For more information, see Configure local computer security.

  • Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. For more information, see Import a security template.

Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.

You should use Configure Computer Now only to modify security areas not affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use Configure Computer Now when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy object.