1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Default security template 2003

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by b2051758, Feb 7, 2012.

  1. b2051758

    b2051758 Bit Poster

    Hi guys,

    A little confused with security templates in server 2003. What I want to know is, how to find out which security template the server is using at the moment? Is there a way to find out? What I'm wanting to do is find the current one in use, copy it and modify it slightly then re apply it using security configuration and analysis tool. Is this possible? am I right in saying that if I use this tool it applies the security settings to the local machine itself ( in this case the server) or does the security template in use apply to the domain computers as well?

    I've also read some where that you can create new gpo's for a site, domain or ou and set security templates that way but would this affect settings ive made in the default domain policy on the server? Which takes precedence?

    ps. Just tested, account policy settings are also transferred to the default domain policy from the template, however local policies are not, even more confused, think its time to start reading again :-/
    Sorry for all the questions, thanks for any info.
    Last edited: Feb 7, 2012
  2. derkit

    derkit Gigabyte Poster

    Is there anyway to find out - it would be nice as I have a problem at work that it would be great, but I've yet to find an answer to this so will be good if someone else can chip in!

    If you run SCA on the local machine it will only affect that, if you add the security template to a GPO it'll depend on where that GPO is accessed - local, site, domain, OU - and the lower it is that'll take precendence. If there any any clashes as you've two different settings in say local and site, the setting at site will used (unless it is overwritten further down the chain) - if there are no clashes, whatever level the setting is at, it'll start from there and filter down. To overwrite the settings in the default domain policy, you'll have to place a new GPO with "clashing" settings to take affect over a particular OU.

    Some settings can only be set at domain level, there are account lock out times, password complexity settings etc. as these will affect all on the domain.

    You say "transferred to the default domain policy from the template" - where are you applying the changes? Have you imported a security template into it?
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  3. b2051758

    b2051758 Bit Poster


    Thanks for the help. It would be nice to find out which template the server currently uses, hopefully someone else can help. I'm guessing in the command line or some logs somewhere.

    I used SCA, imported a template I modified into a new database and applied it to the server. Which in turn changed the default domain policy account settings such as lock out times, password complexity settings etc, which makes sense because of what sou said, that they only apply at the domain level anyway and the server I'm doing it on is the domain controller. It just confused me that it did this, and not shift over local policy settings from the template like change system time also.
    I guess i just expected SCA and clicking configure computer now not to affect the default domain policy in any way, but it did. Lesson learned, configure the server first, then set a new GPO with the settings I want to overwrite the default domain policy on a OU.


Share This Page