Unlocking the Local Security Policy on a Computer

There are times when you are doing troubleshooting or testing when you need to work on a production computer in a lab environment.  In these cases you capture an image of the computer in question and restore it on lab hardware.  Many times the local security policy has been set by a GPO and cannot be modified by using the Local Security Settings MMC.  When the computer is removed from the network (and domain) the local security policy remains unchanged.  The procedure below will enable you to modify the local security policy on a computer where this has occured.

  1. Log onto the computer with an Administrator account.
  2. Start the Local Security Settings MMC (SECPOL.MSC)
  3. Export the current security settings to an INF file by right clicking the top node in the MMC and selecting Export from the context menu. (for Windows XP see additional information below) and name the file "current.inf" (name is not important)
  4. Open a blank MMC (Start > Run MMC)
  5. Add the Security Configuration and Analysis snap-in.
  6. Right-click the top node in Security Configuration and Analysis and select "New Database" and then save the database.
  7. When prompted to import a security template use the one exported in step 3 above (current.inf)
  8. Now right click Security Configuration and Analysis and select "Analyze Computer Now".
  9. Now browse to the setting you want to modify.  You will notice the database setting and computer settings are the same in all cases.  Double-click the setting and make changes.  Repeat for each setting you want to modify.
  10. When you are finished making changes, right-click top node and select "Configure Computer Now" and you changes will be applied.

In Windows XP the SECPOL.MSC does not support the exporting of the security configuration to a template.  The SECEDIT.EXE command-line utility does not support exporting the configuration either.  There is an updated version of SECEDIT.EXE available from Microsoft as described int he KB article below that does enable you to export the security configuration to an inf file.

You cannot use the Secedit.exe command-line tool to export the local security policy settings on a stand-alone workstation that is running Microsoft Windows XP