Unlocking the Local Security Policy on a Computer

There are times when you are doing troubleshooting or testing when you need to work on a production computer in a lab environment.  In these cases you capture an image of the computer in question and restore it on lab hardware.  Many times the local security policy has been set by a GPO and cannot be modified by using the Local Security Settings MMC.  When the computer is removed from the network (and domain) the local security policy remains unchanged.  The procedure below will enable you to modify the local security policy on a computer where this has occured.

  1. Log onto the computer with an Administrator account.
  2. Start the Local Security Settings MMC (SECPOL.MSC)
  3. Export the current security settings to an INF file by right clicking the top node in the MMC and selecting Export from the context menu. (for Windows XP see additional information below) and name the file "current.inf" (name is not important)
  4. Open a blank MMC (Start > Run MMC)
  5. Add the Security Configuration and Analysis snap-in.
  6. Right-click the top node in Security Configuration and Analysis and select "New Database" and then save the database.
  7. When prompted to import a security template use the one exported in step 3 above (current.inf)
  8. Now right click Security Configuration and Analysis and select "Analyze Computer Now".
  9. Now browse to the setting you want to modify.  You will notice the database setting and computer settings are the same in all cases.  Double-click the setting and make changes.  Repeat for each setting you want to modify.
  10. When you are finished making changes, right-click top node and select "Configure Computer Now" and you changes will be applied.

In Windows XP the SECPOL.MSC does not support the exporting of the security configuration to a template.  The SECEDIT.EXE command-line utility does not support exporting the configuration either.  There is an updated version of SECEDIT.EXE available from Microsoft as described int he KB article below that does enable you to export the security configuration to an inf file.

You cannot use the Secedit.exe command-line tool to export the local security policy settings on a stand-alone workstation that is running Microsoft Windows XP
https://support.microsoft.com/default.aspx/kb/897327/

Comments

  • Anonymous
    January 09, 2007
    Hi, your article was very useful, but when I follow the instructions I can only get "Account Policies" and "Local Polocies". Do you know how to perform a similar action such that I can also capture the "Even Log", "Restricted Groups", "System Services", "Registry" and "File System" ? Thanks a lot, Pepe.

  • Anonymous
    January 13, 2007
    The Local Security Policy only contains the settings for Account Policies, LocalPolicies and a few others.  The other settings are configured via Group Policy.  TO modify the local computers Group Policy do the following:

  1. Start > Run > type MMC ad press <ENTER>
  2. Add the Group Policy snap-in (local computer) You will see all the settings you are looking for.  Keep in mind that of your computer is a member of a domain, GPOs from the domain will overwrite any settings you modify at the next refresh.  GPOs are applied in the following order: Local
        Site
            Domain    
                OU
                    OU Any settings in your local GPO can be overwritten by the Domain, Site , and Organizational Unit GPOs in that order. 
  • Anonymous
    April 26, 2015
    These instructions were great! Worked well on a Windows 2012 Server to reset domain imposed settings.

  • Anonymous
    July 15, 2016
    Great article!I was able to modify the settings which were disabled earlier. Thus, resolved referral error on Windows 10 for some executables.Thanks