Export Local Policy

tyanni

Senior member
Sep 11, 2001
608
0
76
I am trying to figure out how to compare the security settings of two pc's. From what I've read, its as simple as exporting the local policies for one pc from Local Security Policy, and then importing them into Security Configuration and Analysis on the other machine. Then I just do a analysis. However, I can't for the life of me determine how to export the local security policies - I see a "export list" option if I right click on Security Settings in Local Security Policy, but this only produces a list of the headings, and isn't seen as a importable template by Security Config and Analysis because it has a txt extension, not inf.

Any suggestions?

Thanks,
Tim
 

gaidin123

Senior member
May 5, 2000
962
1
0
The only way I see to export a security template on a standalone local machine is to add the security configuration and analysis mmc snap in and configure the database to reflect the local machine policy (effectively duplicating your efforts unfortunately). Once you get the settings configured in the database you can export the .inf template and move it to other machines.

The local policy editor doesn't have any import/export functionality. If you are in a domain the GPMC might be able to help you since it can easily import/export group policies but it definitely does not work on standalone machines.

If you find a way to not have to enter the info into the database and get a .inf template out of the local policy please post.

Gaidin
 

tyanni

Senior member
Sep 11, 2001
608
0
76
Well, not that this wouldn't be the first time that MS is retarded, but according to their MCDST guide, one can do this by exporting the local policy settings from the Local Security Policy. Glad to know I wasn't missing something. Thanks!
 

gaidin123

Senior member
May 5, 2000
962
1
0
Now you've got me curious as I had been trying to figure out this exact thing before giving up and editing a preconfigured template. :)

This Link
should take you to a google groups posting about how the secedit /export command seems to be broken in XP. As far as I can tell you should be able to use secedit /export /cfg c:\test.inf to get an inf file of your local only policy in Win2k. This utility is on XP Pro but the export function seems to give an empty file. I have a feeling I may just not have the syntax quite right yet but other people have definitely had this issue..

Gaidin

EDIT: This Link
seems to confirm from Microsoft that you MUST export the local security policy from a Win2k machine and that it will NOT work on XP. Once you create the policy by hand in a database or export from Win2k you should be good to go. How random is that?

EDIT2: A little more information from MS on their newsgroups to back up the "by design" broken secedit in XP.

Final EDIT: Here's the nail in the coffin :)
 

frisbiej

Junior Member
Nov 23, 2004
1
0
0
This may help not sure.
You can use this, for example to grant user(s) rights to the Local Security Policy "Log On As A Service"
(Or a number or other local rights)

http://support.microsoft.com/?kbid=315276
Basically, you get the ntrights.exe file from the resource kit, and run the following command:

ntrights.exe ?u DOMAIN\Username +r SeServiceLogonRight