-
Title
Will QMM RUM (Resource Updating Manager) also update Local Security Settings configured through G -
Description
If running RUM on the workstation or server, along with file system permissions, local groups membership and many other options will it also update Local Security Settings enforced via GPO?
-
Cause
The behaviour is by design.
-
Resolution
QMM RUM will also update security settings stored on the local machine. For example:
Before RUM: Allow logon through Terminal services - Source\Test1
Running RUM with Reassign local group membership, user rights, object permissions to target users with Leave source accounts permissions CHECKED.
After: Allow logon through Terminal services - Source\Test1, Target\Test1
Upon moving the computer to the target domain, the new target GPO will be applied. If the target GPOs are not configured, the local settings may remain unchanged. Please refer to the following Microsoft article about default behaviour:
http://technet2.microsoft.com/windowsserver/en/library/f546e58e-8473-4985-a05d-0b038dea4a9f1033.mspx?mfr=true
Persistence of Security Settings Policy
Security settings can persist even if a setting is no longer defined in the policy that originally applied it.
In Windows Server 2003 and Windows XP, security settings might persist in the following cases:The setting has not been previously defined for the computer.
The setting is for a registry security object.
The settings are for a file system security object.
In Windows 2000, security settings might persist even if the setting is no longer defined in the GPO that originally applied it. All settings applied through local policy or through a Group Policy object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as tattooing.
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. On domain controllers running Windows Server 2003 or Windows 2000, all security settings persist.