Chapter Summary

Most new security templates should be based on predefined security templates.

Create security templates for computer roles, not for individual computers.

The Security Templates snap-in is a graphical tool for creating and editing security templates.

Secedit is a command-line tool that can create security templates based on an existing computer’s settings.

Security templates can be used to configure account policies, group memberships, event log settings, local policies, and permissions for folders, files, services, and the registry.

The easiest way to deploy security templates to multiple systems is to use Group Policy.

Group Policy can be applied to a domain, a site, or an OU.

You can further restrict which computers and users a Group Policy object applies to by restricting permissions to the Group Policy object, or by using WMI filtering.

You can use Secedit to apply a security template from the command line. By using Secedit, you can automatically deploy security policies to computers that are not members of a domain.

You can manually apply a security template to a computer by using the Security Configuration And Analysis snap-in.

Use Gpupdate to refresh policy before you begin troubleshooting and after each change you make to Group Policy.

The Advanced System Information tool in Help And Support Center is a graphical tool that provides a thorough description of GPOs applied to a user and computer.

Gpresult displays the most complete set of information about GPOs applied to a user and computer.

Windows Server 2003 records information about applied GPOs in the registry.