|
Posted by Roger Abell [MVP] on November 10, 2006, 6:34 pm
Please log in for more thread options
> On Fri, 10 Nov 2006 10:03:12 -0700, "Roger Abell [MVP]"
>
>>When you merge settings by importing multiple templates into
>>a sdb in merge mode, they are merged, but not as you expect.
>>Each policy setting is handled all-or-none, that is, the last
>>loaded template that specifies a particular setting specifies
>>the complete, total and exclusive, value for that setting.
>>In your scenario, the last-loaded IIS template needs to state
>>both ASPNET and Guests for the Deny local logon settings.
>>
>>>I have a server that I secured using an INF template we created. Now
>>> they installed IIS and changes were made to the settings. We have a
>>> template that documents the changes in the security settings (iusr,
>>> iwam, iis_wpg and aspnet were added to several user rights) and want
>>> to import that into the original SDB.
>>>
>>> Problem is when we import and configure using the second template,
>>> some of the settings are completely over written by it rather than
>>> augmented by it. For example, deny local logon is set to GUESTS by
>>> the original template. When we add IIS, ASPNET is added to this
>>> right. However after we configure the computer with the new template
>>> only ASPNET is listed.
>>>
>>> We are using secedit in a script to do this. First we configure with
>>> our security template to create the SDB file, then we configure with
>>> the IIS template.
>>>
>>> Obviously I'm doing something wrong here. I would expect the end
>>> result to be a combination of the two templates but any place the
>>> second template makes changes I'm only seeing those changes.
>>>
>>> Help?!
>>>
>>> Mike
>>
>
> That's what I thought... figures, now I have to re-write the VBS that
> generates the IIS.INF file to include any settings already set by the
> original template.
>
> Thanks for the info. I appreciate the help.
>
Actually only any settings in the original that are also to be in the
IIS.inf
Roger
| 
XML Sitemap