If the setting is being passed down from a gpo from the domain, you can’t remediate that through bsa. you would need to talk to your AD admin to have them update the gpo…
You mean to say if it does not belongs to any domain then i should be able to update value for both local and effective setting ?
Also would you pls brief a bit what is the difference between local and effective setting. Becoz even if I update the value of the setting from GUI its only updating local setting value.
1 of 1 people found this helpful
Local means what the value is set to locally on the box. effective means what the actual, in-effect value is. effective is what you care about. if you set the local value to something and there is no gpo, then the effective value should be the same as local. If there is a gpo overriding then that would override the local value and be the effective value.
so can't we remediate these as a part of compliance check using BSA and we have only option left use of GPO ?
In short remediation is not possible using BSA for settings like this(Password Policy setting). To update effective value GPO needs to be applied.
I have very little knowledge about security setting and GPO. Does appling GPO on a server changes local settings value or it only deals with effective settings value ?
If the setting is delivered via a gpo, then no. if the setting is not delivered via a gpo, then yes.
1 of 1 people found this helpful
To reiterate what Bill said, and add a bit more.
The Local setting is what the current value is on the server. The Effective setting is what is being pushed by GPO policy. Or, if there is no GPO policy being applied, the Effective setting will default to whatever the Local setting is.
If the values are different, that means the GPO Effective setting hasn't been applied yet (by a gpupdate or a reboot) or someone manually changed the Local setting. But a gpupdate or a reboot will change the Local setting to whatever the Effective setting is. The Effective setting is the master for lack of a better term.
As Bill said, GPO policies are created and managed from your Microsoft Active Directory directory services.
When I do Compliance checks on Security Settings I always check for both values. Sometimes there is a problem with a server getting policies applied properly and this is a good way to catch that.
Thanks Bill and Joe. It helped me a lot. I was little worried after the deployment of the package. Even I tried using OOTB CIS WIN2k8 Component template but failed to update effective setting value.
I have a quick question here?
For our server compliant value for the password history is >=10. Compliance check found that it was set to 7. We created remediation package using live server object option and deployed the package(Value was set to 10). Only local setting value changed to but leaving effective setting unchanged to 7.
So what is the best recommended way of doing remediation for such settings related to GPO ?
Does applying GPO will modify value for both local and effective setting as per industry standard and no need to remediate using BSA?
Do we need to deploy the package to update local setting and ask AD admin to push GPO to update effective setting value ?
The gpo sets the effective setting, not the local setting. if there is a gpo in place, then that will override the local setting. if the box is removed from the domain, or the gpo is altered such that this setting is no longer defined, then the local setting would take effect. So it may still be a good idea to push out the local settings in case one of those things happens. so i’d still do both – deploy the local setting and get the AD admin to update the gpo.