Access Denied: Understanding Windows Server 2003's Local Security Settings

In Windows 2000, the Microsoft Management Console (MMC) Local Security Settings snap-in shows the system's local security policy and effective settings, as Web Figure 3 (, InstantDoc ID 41279) shows. In Windows Server 2003 and Windows XP, the snap-in shows only the Security Setting column. Does this column represent the computer's local policy, or does it represent effective settings?

The Local Security Settings snap-in always shows the effective setting for each policy. The snap-in also lets you edit policy settings that aren't defined in an Active Directory (AD) Group Policy Object (GPO).

Each computer has a local GPO, which you can edit to configure that computer. In fact, you must use the local GPO to configure a computer that isn't a member of an AD domain. However, when a computer joins a domain, it automatically starts applying relevant GPOs that are stored in AD. Windows applies the local GPO first, then GPOs from AD, so AD GPOs override conflicting local GPOs. Therefore, you have two sets of settings: the settings defined in the computer's local GPO and the effective settings that the computer is actually using.

In Win2K, you could edit the Local Setting column, but you couldn't change the Effective Setting column because it was a composite of all (i.e., local and AD) GPOs that applied to the computer. In Windows 2003 and XP, Microsoft combined the two columns into the Security Setting column. This column always displays the computer's effective setting no matter where the setting comes from. The policy's icon tells you where the setting originated. As Figure 1 shows, the Audit process tracking policy has a different icon from the other audit policies. The process tracking policy's setting comes from the computer's local policy, whereas the other audit policies have settings defined in AD GPOs. If you double-click Audit process tracking, you'll notice that you can edit the policy. But if you double-click the Audit privilege use policy, you see that that policy is read-only.

In Windows 2003 and XP, you can be sure that the Local Security Settings snap-in is showing the current effective settings. When a policy is defined by a GPO in AD, you can't see or change the computer's local policy setting. But that isn't a drawback: Because AD-defined policies always override local policies, changing the local policy wouldn't change the effective setting.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.