Programmatic Changes to LSA Policy Appear in Group Policy or Local Security Policy (295655)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q295655 SUMMARY
When a program makes changes to the LSA policy on a Windows 2000 domain controller (DC) by calling LSA APIs, those changes are reflected in the Default Domain Controllers policy.
When a program makes changes to the LSA policy on a Windows 2000 member server or workstation by calling LSA APIs, those changes are reflected in that computer's Local Security policy.
MORE INFORMATION
Calls to the LSA APIs are intercepted by the Security Configuration Engine and incorporated into the appropriate policy. On DCs, changes are made to the Default Domain Controllers policy. On member servers and workstations, the changes are incorporated into the Local Security policy database and integrated with the group policy from the domain.
This is done for program compatibility purposes. Because group policies override local policies, an installed program that required a specific LSA policy change (such as adding an account or group to a user right) would start to malfunction if the group policy ignored the changes made by the program. Because of this, LSA policy changes are intercepted and integrated.
| Modification Type: | Major | Last Reviewed: | 12/3/2003 |
|---|
| Keywords: | kbenv kbinfo kbui KB295655 |
|---|
|