We strongly recommend that whenever possible the security administration is done using CASPol. This insures that policy changes don’t corrupt the configuration files. Since CASPol does not currently support administrators in accessing arbitrary user’s configuration files, some hand editing may become necessary. The configuration files are stored at the following locations:
Machine policy configuration | |
---|---|
Windows 2000 | %WINDIR%\complus\vxx.xx\security.cfg |
Windows NT | %WINDIR%\complus\vxx.xx\security.cfg |
Windows 9x | %WINDIR%\complus\vxx.xx\security.cfg |
User policy configuration | |
Windows 2000 | %USERPROFILE%\complus\vxx.xx\security.cfg |
Windows NT | %USERPROFILE%\complus\vxx.xx\security.cfg |
Windows 9x | %WINDIR%\username\complus\vxx.xx\security.cfg |
NOTE:The security.cfg file for a particular policy will only be persisted on disk if the policy has been changed from the default using CASPol (The default policies are hardwired). So, for instance if a user only ever used CASPol to list his or her user policy but did not make any changes to it, there will be no security.cfg file persisted for that user. In that case the administrator will need to author a new policy file. When the security.cfg files are created they are appropriately ACLed so that only people with machine administrative rights can modify the machine’s security.cfg.
When calling –reset on a default policy, CASPol automatically saves the default policy to disk. Although the administrator cannot call –reset on arbitrary user’s policy, he or she can call –reset on his own user policy (if it is still the default policy), and use the persisted file as a starting point for authoring the particular user policy he/she had in mind.
Example: Administrator wants to change the default user policy of user Joe Doe