Export (0) Print
Expand All

Account Policy templates are applied incorrectly

Updated: March 2, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An administrator applies a security template that sets the account policies to something the administrator does not want to use, such as settings that cause users to change their password when the administrators do not want them to. Setting the Account Policies to Not Defined does not resolve the problem.

Cause

Incorrectly applied Account Policy settings. In this case, the administrator applied a security template that had unintended effects.

Solution

To resolve misapplied templates issues, do the following:

  1. Re-apply the default settings for Account Policies. The default settings in the Default Domain Policy GPO for a clean installation of Windows Server 2003 are located in %windir%\inf\dcfirst.inf. The Dcfirst.inf security template is the template that is used to populate the security settings in the Default Domain Policy GPO when the first domain controller is installed in the domain. Importing this template into the Default Domain Policy (and checking the Clear this database before importing option) restores the security settings back to a clean install state.

    The same information applies to the Defdcgpo.inf security template which contains the default security settings in the Default Domain Controller Policy GPO (for a clean installation of Windows Server 2003). Defdcgpo.inf is located in %windir%\inf\.

    noteNote
    For domain accounts, the account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs. A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the OU that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers. Modifying the Default Domain Policy is not recommended. If you need to set some account policy that differs from that in the Default Domain Policy GPO, you can create a new GPO and link to the root of domain, set the policy you want to use, and assign it higher precedence than Default Domain Policy GPO.

  2. Wait for replication changes to propagate to the domain controller.

  3. Verify that the policy applied to the clients.

To reapply default security settings using the Windows interface
  1. Click Start, click Run, type mmc, and then click OK.

  2. Do one of the following:

    • To create a new console, on the File menu, click New.

    • To open an existing console, on the File menu, click Open, click the console that you want to open, and then click Open.

  3. On the File menu, click Add/Remove Snap-in, and then, in Add/Remove Snap-in, click Add.

  4. Click Security Configuration and Analysis, click Add, click Close, and then click OK.

  5. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

  6. In File name, type the file name, and then click Open.

  7. Do one of the following:

    • For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, click Look in in the Import Template dialog box, and then select dcfirst.inf in the %windir%\inf folder.

    • For other computers, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click Setup security.

  8. Select the Clear this database before importing check box, and then click Open.

  9. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.

  10. Do one of the following:

    • To use the default log specified in Error log file path, click OK.

    • To specify a different log, in Error log file path, type a valid path and file name, and then click OK.

  11. When the configuration is done, right-click Security Configuration and Analysis, and then click View Log File.

ImportantImportant
Applying the entire setup security template is a drastic measure that should be avoided; it is best to limit the settings being reset to the smallest possible number. Instead, use the secedit command-line tool with the /areas switch to apply default settings for specific areas.

noteNote
Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings.

If you reapply default security settings to your local computer: To perform this procedure, you must be an Administrator or a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

If you reapply default security settings to a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have a local Administrator account or an account in the local Administrators group.

To open Security Configuration and Analysis
  1. Click Start, click Run, type mmc, and then click OK.

  2. Do one of the following:

    • To create a new console, on the File menu, click New.

    • To open an existing console, on the File menu, click Open, click the console that you want to open, and then click Open.

  3. On the File menu, click Add/Remove Snap-in, and then, in Add/Remove Snap-in, click Add.

  4. Click Security Configuration and Analysis, click Add, click Close, and then click OK.

The default path for the log file is: systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\.

When you reapply default security settings, all settings that are defined in Setup security.inf are set as the template specifies, but other settings that are not defined in the template may persist.

To reapply default security settings using a command line
  1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.

  2. For a server or workstation, type:

    secedit /configure /DB FileName /CFG "%windir%\Security\Templates\Setup security.inf" [/overwrite][/areas Area1 Area2 ...] [/log LogPath ] [/quiet]

  3. For a domain controller, type:

    secedit /configure /DB FileName/CFG "%windir%\inf\dcfirst.inf" [/overwrite][/areas Area1Area2...] [/log LogPath] [/quiet]

The following table describes the Secedit arguments used in the procedure.

 

Argument Description

/DB FileName

Required. Provides the path to a database that contains the security template that should be applied. To create a new database, type the database file name and path.

/CFG "%windir%\Security\Templates\Setup security.inf"

Specifies the Setup Security.inf template that contains the default security settings.

/overwrite

Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

/areas Area1 Area2 ...

Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:

  • SECURITYPOLICY   Includes account policies, audit policies, event log settings, and security options.

  • GROUP_MGMT   Includes Restricted Group settings.

  • USER_RIGHTS   Includes user rights assignment.

  • REGKEYS   Includes registry permissions.

  • FILESTORE   Includes file system permissions.

  • SERVICES   Includes System Service settings.

/log LogPath

Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the Scesrv.log file, which is located in the %windir%\Security\Logs folder.

/quiet

Specifies that the configuration process should take place without prompting the user.

To view the complete syntax for the secedit command
  • At a command prompt, type: secedit /?

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2015 Microsoft