Sunday, May 08, 2016

Domain-Level Security Policies Override Local Security Policy

Why does a Microsoft server domain-level policy override the local security policies in Vista Ultimate?

Domain-level Group Policy settings persistently revert these 7 services from "Automatic" to "Automatic (Delayed Start)" when changed manually by the user.
Background Intelligent Transfer Service
Google Update Service (gupdate)
KtmRm for Distributed Transaction Coordinator
Microsoft .NET Framework NGEN v4.0.30319_X86
TPM Base Services
Windows Font Cache Service
Windows Update














Vista Ultimate Security Templates

Domain-Level Security Policies Override Local Security Policy

The Group Policy security settings that apply to this machine could not be determined.

The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: An extended error has occurred.

All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.

Any local security setting modified through this User Interface may subsequently be overridden by domain-level policies



Can't even spell "overridden" properly.


The same holds true in Windows 7 Home Premium, where the following eight services are persistently reverted from "Automatic" to "Automatic (Delayed Start)" when changed manually by the user.
Background Intelligent Transfer Service
Google Update Service (gupdate)
Microsoft .NET Framework NGEN c4.0.30319_X64
Microsoft .NET Framework NGEN c4.0.30319_X86
Security Center
Software Protection
Windows Defender
Windows Update

Surely, a delayed start weakens the protections offered by these services. Why would Microsoft weaken its own security features? Why does upgrading a Windows OEM license to a Windows Vista Ultimate Full License for $359.99 offer only the pretense of control and management of security settings? Why does the matter stay exactly the same through two different, evolving Windows editions?

Applies to Kaspersky Rescue Disk:  "In this case, disinfection is more efficient because malware programs do not gain control when the operating system is being loaded. In the emergency repair mode, you can only start objects scan tasks, update databases roll back updates and view statistics."










No comments: