There are times when you are doing troubleshooting or testing when you need to work on a production computer in a lab environment. In these cases you capture an image of the computer in question and restore it on lab hardware. Many times the local security policy has been set by a GPO and cannot be modified by using the Local Security Settings MMC. When the computer is removed from the network (and domain) the local security policy remains unchanged. The procedure below will enable you to modify the local security policy on a computer where this has occured.
In Windows XP the SECPOL.MSC does not support the exporting of the security configuration to a template. The SECEDIT.EXE command-line utility does not support exporting the configuration either. There is an updated version of SECEDIT.EXE available from Microsoft as described int he KB article below that does enable you to export the security configuration to an inf file.
You cannot use the Secedit.exe command-line tool to export the local security policy settings on a stand-alone workstation that is running Microsoft Windows XPhttp://support.microsoft.com/default.aspx/kb/897327/
Hi, your article was very useful, but when I follow the instructions I can only get "Account Policies" and "Local Polocies". Do you know how to perform a similar action such that I can also capture the "Even Log", "Restricted Groups", "System Services", "Registry" and "File System" ? Thanks a lot, Pepe.
The Local Security Policy only contains the settings for Account Policies, LocalPolicies and a few others. The other settings are configured via Group Policy. TO modify the local computers Group Policy do the following:
1. Start > Run > type MMC ad press <ENTER>
2. Add the Group Policy snap-in (local computer)
You will see all the settings you are looking for. Keep in mind that of your computer is a member of a domain, GPOs from the domain will overwrite any settings you modify at the next refresh. GPOs are applied in the following order:
Local Site Domain OU OU
Any settings in your local GPO can be overwritten by the Domain, Site , and Organizational Unit GPOs in that order.