Local Security Policies, System Group Policy Objects, and Active Directory values not updating Secedit.exe Sec.cfg

1.1k views Asked by At

I am attempting to monitor the status of SeRemoteShutdownPrivilege and SeEnableDelegationPrivilege to determine if they have been updated/changed. When doing so, this configuration file doesn't seem to update. Are there any other locations where a variable would affect "Force shutdown form a remote system" and "Enable computer and user accounts to be trusted for delegation". I have already looked through Microsoft Registry key documentation. Here's the link I referred to: https://www.microsoft.com/en-us/download/details.aspx?id=25250 I have looked into using Get-GPRegistryValue, Get-GPOReport, and Get-GPO. The way I generated Sec.cfg was using "Secedit /export /cfg sec.cfg /log NUL".

Thank you for any help that you can provide.

1

There are 1 answers

0
Kartik Bhiwapurkar On

• For the ‘Force Shutdown from a Remote System’ setting to apply effectively on a client system, kindly check whether the below group policy regarding this setting has been applied or not by executing the command ‘gpresult /h gpreport.html’ on the elevated command prompt on the client system. In the report, please check whether the above said group policy setting has been applied successfully or not.

Group policy setting: -

On the Group Policy Server, check the below group policy setting by checking the ‘Default domain policy’ or that policy which controls the below setting: -

  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment/Force shutdown from a remote system

To forcefully apply the domain group policy settings on the client system, execute the command ‘gpupdate /force’ on an elevated command prompt and restart the client system. Then check the client’s group policy report once again to check whether the setting has been applied or not.

• Also, I would suggest you to please make the above said modifications on a baseline client system through local group policy editor and export the settings in an ‘.inf’ template for installation via powershell script. Check for the below settings information in the ‘.inf’ file and then execute the below command by modifying the values for ‘.inf’ file and ‘.db’ file as appropriate: -

 [Privilege Rights]
 SeDenyServiceLogonRight = *S-1-1-0,*S-1-5-19, Administrators

 secedit.exe /configure /cfg C:\customsettings.inf /db C:\WINDOWS\security\Database\customsettings.db /quiet

By doing the above, your issue should get resolved.