Local Security Settings

[jrk7352]

Is there a way to include local security setting on an unattended CD? I would like to set the policy for maximum password age, enforce password history, minimum password length, account lockout duration, account lockout threshold, reset account lockout counter, and the audit policies.

Thanks in advance,

Jennifer

[tguy]

Yes this is possible to do. I am currently doing it on unattended CD's for Win2K, Win2K3, and WinXP.

Here is what you need to do.

1) Open the MMC.

2) Add the Security Templates and Security Configuration and Analysis add-in's.

3) Create a new database .SDB file.

4) Open a template file, .INF etc.

5) Configure the template settings the way you want and save the .INF file under a new name.

6) Copy the modified .INF file to the $OEM$\$$\Security\Templates directory.

7) Create a batch file, like the one attached below, to execute secedit.exe to configure the security settings.

secedit.bat

[jrk7352]

Thanks for the information. This is what I am looking for. I got my template created and was able to apply the security settings via the command prompt. However, I am having problems with the batch file. The batch file runs with no errors, but the settings are not changed. I am using the exact batch file you suggested. Also, you mentioned I need to create a new .sdb database file but you didn't say if I need to put that on my unattended CD. If so, I am guessing I put it in $OEM$\$$\Security\Database. Is that correct? If the database file is not needed on the CD, what .sdb file do I reference in the batch file?

Thanks again!

[tguy]

The database file is not needed on the CD. Simply give the .SDB file a name in the batch file command line and it will auto create it for you. Mine is called secedit.sdb.

[jrk7352]

I finally got it figured out. The batch file worked once I put secedit.EXE instead of just secedit.

[BFCF]

Yes this is possible to do.  I am currently doing it on unattended CD's for Win2K, Win2K3, and WinXP.

Here is what you need to do.

1) Open the MMC.

2) Add the Security Templates and Security Configuration and Analysis add-in's.

3) Create a new database .SDB file.

4) Open a template file, .INF etc.

5) Configure the template settings the way you want and save the .INF file under a new name.

6) Copy the modified .INF file to the $OEM$\$$\Security\Templates directory.

7) Create a batch file, like the one attached below, to execute secedit.exe to configure the security settings.

<{POST_SNAPBACK}>

I can't download the bat file. Can you share it again? Thanks.

[Idontwantspam]

Well, I'm trying this method and so far it hasn't been working for me.

Here is what I've done: I have a custom .inf file, which is in $OEM$\$$\security\templates. It's called securepol.inf. Here's my batch file:

cd "%windir%\security\database"
echo Applying Security Settings...
echo y|secedit.exe /configure /db securepol.sdb /cfg %SYSTEMROOT%\security\templates\securepol.inf /overwrite /log %SYSTEMROOT%\security\logs\securepol.log /QUIET
echo.
echo Done

I inserted the CD so it would put the .sdb in the correct location. Anyhow, when this is run off the CD, no changes are made. This is what the error log looks like when I remove the /QUIET switch (otherwise it just says "error" any nothing more)

-------------------------------------------
Monday, December 10, 2007 10:48:39 PM
Warning 5: Access is denied.
 	Error creating database.
----Configuration engine was initialized with one or more errors.----


----Un-initialize configuration engine...

Well. The odd thing is, when I copy the batch file from the CD and paste it onto the hard-drive, there's no problem; all changes are applied. So what could I doing wrong? Is there some way to fix this?

P.S., this is on a Windows XP Professional SP2 OEM unattended install disk.

Thanks in advance.