Group Police Settings - Value = Not Defined

LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
Outside of the obvious answer, if a group policy setting has a value of "Not Defined" what exactly does that mean? If for example the password expiration policy that defaults to 90 days (I think 90 not sure) is set to Not Defined. Does that mean it is the default value or does it just not ever expire?

Comments

  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Does this thread answer your question?

    http://www.techexams.net/forums/viewtopic.php?t=37532
    My blog http://www.calegp.com

    You may learn something!
  • MarkieMarkie Member Posts: 54 ■■□□□□□□□□
    Yeah, check out this thread I started up. I think you'll find this part the most relevant to your question.
    It seems my initial interpretation of the Resultant Set Of Policy (RSOP.msc) tool was incorrect. By the name, one might think that the RSOP tool would actually summarize all of the security settings that are in place (once all the relevant local and Active Directory GPOs have been applied).

    However, it seems this is not quite the case, as quoted from Windows Xp help and support:

    "RSoP is a query engine that polls existing policies, and then reports the results of the query. It polls existing policies based on site, domain, domain controller, and organizational unit".

    The important distinction here is that RSOP does not capture those policies that have been applied at the local level (i.e. LGPOs).

    This distinction now explains my initial confusion over all those "not defined" computer settings found in the 'user rights assignement' tree found in RSOP for a member server (or a client workstation for that matter).

    "Not Defined" just means that no GPOs based on Site, Domain or OU have been applied. However, the security settings that have been defined within Local Security Policy (i.e. by running gpedit.msc on the member server) are still in effect. Therefore, when running RSOP.msc on a member server, the "not defined" security setting relating to the "Backup files and directories"user right just means that this policy has only been defined in Local Security Policy (which is set to 'Administrators and Backup Operators by default).

    Maybe for the above reason, they should have called the tool the "Resultant Set Of Non-Local Group Policy".

    I suppose the main reason for keeping the LGPOs out of RSOP is so that it would be easier for a local administrator to quickly locate the overriding group policies that have been applied at the Site, Domain or OU levels.

    On the other hand, for a local administrator to fully understand what policies are in place and where they originate from, they would have to run both Gpedit.msc and Rsop.msc.

    Mark
    The oxen is slow but the earth is patient!!!!
Sign In or Register to comment.