Jun 10, 2005

How Windows applies Security Settings?

1. How Windows applies Security Settings?

Answer: I didn't find any documents on how and when the system loads security settings during boot or logon process. But as Security Template is imported into a Group Policy Object, the settings you defined in template become part of Group Policy. The final effective security settings for a GPO are written into GptTmpl.inf that under

%systemroot%\sysvol\sysvol\domain name\policies\GPO guid\machine\microsoft\windows\windows nt\secedit

System will compile all effective GPOs' GptTmpl.inf files into secedit.sdb under
%systemroot%\security\database

Please also keep in mind the following points:
- Security settings will be applied everytime its containing GPO is applied
- you can write a template but not to use it; similarily, you can create a GPO but not to link it anywhere
- Security Template itself is just a plain text file and has no effect on the computer. Therefore changing a template does not change any behavior unless you import this template into an EFFECTIVE GPO
- Once you import a Security Template into a GPO, system makes changes in GptTmpl.inf accordingly; If this is an effective GPO, the system will make changes into secedit.sdb then
- When the GPO is applied, the security settings are applied as they are just part of GPO now
- The "Computer Configuration" will be applied each time the computer boots; and the security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller thereafter. The settings are also refreshed every 16 hours, whether or not there are any changes.
- An effective GPO is one that is linked to somewhere, it could be domain, site, OU, or local. And GPOs are applied in the order of local, site, domain, and OU whenever a computer boots into domain. Only Local Group Policy will be applied if it's a standalone server.

2. If templates are compared against security databases after every reboot what files are involved and how does the server know where to look for this information? this may relate to question 4. If this is not the case, how can I ensure that the server will use only a policy I have explicitly set.

Answer: It looks for secedit.sdb under the path mentioned in item 1 when the computer reboots.
If you make manual security settings changes, or import a security template into an effective GPO, the changes will be writen into secedit.sdb during the policy refresh cycle

3. Also in the folder c:/winnt/security/databases there are multiple sdb files. Is the server only looking for secedit.sdb file or will it read all *.sdb files in the database directory?

Answer: Only secedit.sdb. See also Answer 1 and 2.