To deploy changes to Windows local security policy, it appears as though BladeLogic 8.1 uses secedit to export the current effective local security policy and then re-import including the change/s being applied in the BladeLogic packages. Is there a way to configure BladeLogic to only work with the specific policy/s that are being modified via the package? In our case, we are running a compliance job with autoremediate that verifies a local account is in two specific User Rights policies and adds it if it's not. However, on some servers, a text formatting issue in a specific Security Options policy was identified after the BladeLogic deployment because the formatting issue only becomes a problem if the policy is imported via secedit; not if it's entered into the policy using the Local Security Policy MMC snap-in (which was done in some cases). We've identified and corrected the text formatting issue, but would still like to know if BladeLogic can be configured to only work with the specific policy/s that are being modified via the package instead of exporting and re-importing the whole local security policy.
You can’t change the default behavior of BBSA, but you could usean external command of a BLPackage to execute whatever commands you like to asystem. I am sure this is not what you are looking for, as this would negatethe OOB packaging of policy settings and require more manual work.