NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q325878 contains:

SUMMARY

This step-by-step article describes how to apply registry access control lists (ACLs) and file system ACLs to computers that are upgraded from Microsoft Windows NT 4.0 to Windows Server 2003.

When you upgrade a Windows NT 4.0-based computer to Windows Server 2003, the registry and file system ACLs are not changed by Windows Setup. Windows Server 2003 permits a higher level of security, and it handles registry and file system permissions differently than Windows NT 4.0. Microsoft recommends that you apply Windows Server 2003 ACLs to computers that are upgraded from Windows NT 4.0.

To apply registry and file system ACLs, you can use the Security Configuration and Analysis snap-in. Note that you must be a member of the Administrators group to perform this procedure.

back to the top

How to Apply Default System Security Settings to a Computer That Is Upgraded from Windows NT 4.0 to Windows Server 2003

  1. Log on as Administrator or as a member of the Administrators group.
  2. Click Start, click Run, type mmc in the Open box, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Add , click Security Configuration and Analysis, click Add, click Close, and then click OK.
  5. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
  6. Specify a name (for example, upgdbase) and a location for the database, and then click Open.
  7. In the Import Template dialog box that appears, click Setup Security.inf, and then click Open.
  8. Right-click Security Configuration and Analysis, and then click Analyze Computer Now.
  9. In the Perform Analysis dialog box that appears, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK.

    The template security settings are compared to the existing computer settings.

    NOTE: No changes are made to the computer at this time. The results of this procedure show where there are discrepancies between the security settings in the template and the actual system settings.
  10. When the analysis is complete, expand each component in the console tree -- for example, Account Policies, Local Policies, Event Log, Restricted Groups, and System Services.
  11. For each component that you expand in step 10, view its security attribute entries in the right pane in the Policy column, and then note the following:
    • An entry with a green check mark indicates that the current computer settings are the same as security settings in the database.
    • An entry with a red "x" indicates that the current computer settings are different from the security settings in the database.
    • If a green check mark or a red "x" is not displayed, a setting for this security attribute is not defined in the template and was not analyzed.

      If you want to add or modify a database setting, right-click the security attribute that you want to add or modify, and then click Properties. Click to select the Define this policy in the database check box (if it is not already selected), make the changes that you want to the policy setting, and then click OK.

      NOTE : The Database Setting column displays the security settings that are contained in the template, and the Computer Setting column displays the computer's current settings.
  12. To configure the computer to use the security settings in the database, right-click Security Configuration and Analysis, and then click Configure Computer Now.
  13. In the Configure System dialog box that appears, either accept the default path and log file name or type the path and file name that you want, and then click OK.

    The security database configuration is applied to the computer.

    NOTE: If there are conflicts between the database entries and the existing security configuration on the computer, the existing entries are overwritten unless you reconcile the differences in the security database before you configure the computer.
back to the top