JSI Tip 7339. How do I apply registry access control lists (ACLs) and file system ACLs to computers that are upgraded from Microsoft Windows NT 4.0 to Windows Server 2003?

How to Apply Default System Security Settings to a Computer That Is Upgraded from Windows NT 4.0 to Windows Server 2003

1. Log on as Administrator or as a member of the Administrators group.
2. Click Start, click Run, type mmc in the Open box, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Add , click Security Configuration and Analysis, click Add, click Close, and then click OK.
5. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
6. Specify a name (for example, upgdbase) and a location for the database, and then click Open.
7. In the Import Template dialog box that appears, click Setup Security.inf, and then click Open.
8. Right-click Security Configuration and Analysis, and then click Analyze Computer Now.
9. In the Perform Analysis dialog box that appears, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK.
   
   The template security settings are compared to the existing computer settings.
   
   NOTE: No changes are made to the computer at this time. The results of this procedure show where there are discrepancies between the security settings in the template and the actual system settings.
10. When the analysis is complete, expand each component in the console tree -- for example, Account Policies, Local Policies, Event Log, Restricted Groups, and System Services.
11. For each component that you expand in step 10, view its security attribute entries in the right pane in the Policy column, and then note the following:
    • An entry with a green check mark indicates that the current computer settings are the same as security settings in the database.
    • An entry with a red "x" indicates that the current computer settings are different from the security settings in the database.
    • If a green check mark or a red "x" is not displayed, a setting for this security attribute is not defined in the template and was not analyzed.
      
      If you want to add or modify a database setting, right-click the security attribute that you want to add or modify, and then click Properties. Click to select the Define this policy in the database check box (if it is not already selected), make the changes that you want to the policy setting, and then click OK.
      
      NOTE : The Database Setting column displays the security settings that are contained in the template, and the Computer Setting column displays the computer's current settings.
12. To configure the computer to use the security settings in the database, right-click Security Configuration and Analysis, and then click Configure Computer Now.
13. In the Configure System dialog box that appears, either accept the default path and log file name or type the path and file name that you want, and then click OK.
    
    The security database configuration is applied to the computer.
    
    NOTE: If there are conflicts between the database entries and the existing security configuration on the computer, the existing entries are overwritten unless you reconcile the differences in the security database before you configure the computer.