http://msdn2.microsoft.com/en-us/library/aa375062.aspx

This page says that we should be able to retrieve eight settings using WMI:
ClearTextPassword
PasswordComplexity
RequireLogonToChangePassword
ForceLogoffWhenHourExpire
LSAAnonymousNameLookup
EnableAdminAccount
EnableGuestAccount
TicketValidateClient

Howerver, we are only able to retrieve four of them:
ClearTextPassword
PasswordComplexity
RequireLogonToChangePassword
ForceLogoffWhenHourExpire

Any idea why the other four are missing?

Thanks

Hi JH,

Is it possible for you to provide a sample project for reproducing this 
problem? Anyway, I will perform some research and find out if this is a 
known issue. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to 
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues 
where an initial response from the community or a Microsoft Support 
Engineer within 1 business day is acceptable. Please note that each follow 
up response may take approximately 2 business days as the support 
professional working with you may need further investigation to reach the 
most efficient resolution. The offering is not appropriate for situations 
that require urgent, real-time or phone-based interactions or complex 
project analysis and dump analysis issues. Issues of this nature are best 
handled working with a dedicated Microsoft Support Engineer by contacting 
Microsoft Customer Support Services (CSS) at 
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Jeffrey,

This simple vbs script shows four settings.

Thanks.



'http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2642372&SiteID=1

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" 
& strComputer & "\root\RSOP\computer")
Set colItems = objWMIService.ExecQuery("Select * from 
RSOP_SecuritySettingBoolean")
for Each objItem in colItems
    Wscript.Echo objItem.KeyName & " = " & objItem.Setting
Next

Hi JH,

Thanks for your feedback.

Yes, I can reproduce this problem with the code. 

In fact, the rsop (MMC snap-in and WMI class) shows the finally result view 
of the GPOs (domain/OU/Local/etc.) applying. So the problem is if the 
setting (for example the Guest Account Status) are "Not configured" in 
every effective GPO, it will be hidden in the rsop view. The 4 items we 
have retrieved with the script 
(ClearTextPassword/PasswordComplexity/RequireLogonToChangePassword/ForceLogo
ffWhenHourExpire) are shown with the script is because they are configured 
by the "Default Domain Policy". An evidence is if you run this script on a 
workgroup machine, it will show nothing at all.

So this behavior -- show only 4 items in a domain member machine with 
default setting - is expected.

The other properties are not shown is just because of these setting are not 
configured in any GPO. Can you ensure these settings are configured with 
rsop and/or gpmc?

In my reproduce, if setting the "Computer Configuration -> Windows Settings 
-> Security Settings -> Local Policies ->> Security Options -> 
Accounts:Guest account status" to "Enabled" on Domain GPO (this setting is 
not work on local GPO), the EnableGuestAccount will be shown with the 
script.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the explanation. You mentioned that EnableGuestAccount does
not work on local GPO. How should I find out if a setting works on local GPO
or ot? Is it true that none of the settings we retrieve from WMI 
RSOP_SecuritySettings
works on local GPO?


""Jeffrey Tan[MSFT]""  wrote in message 
news:%23i0mpP5nIHA.4932@TK2MSFTNGHUB02.phx.gbl...
> Hi JH,
>
> Thanks for your feedback.
>
> Yes, I can reproduce this problem with the code.
>
> In fact, the rsop (MMC snap-in and WMI class) shows the finally result 
> view
> of the GPOs (domain/OU/Local/etc.) applying. So the problem is if the
> setting (for example the Guest Account Status) are "Not configured" in
> every effective GPO, it will be hidden in the rsop view. The 4 items we
> have retrieved with the script
> (ClearTextPassword/PasswordComplexity/RequireLogonToChangePassword/ForceLogo
> ffWhenHourExpire) are shown with the script is because they are configured
> by the "Default Domain Policy". An evidence is if you run this script on a
> workgroup machine, it will show nothing at all.
>
> So this behavior -- show only 4 items in a domain member machine with
> default setting - is expected.
>
> The other properties are not shown is just because of these setting are 
> not
> configured in any GPO. Can you ensure these settings are configured with
> rsop and/or gpmc?
>
> In my reproduce, if setting the "Computer Configuration -> Windows 
> Settings
> -> Security Settings -> Local Policies ->> Security Options ->
> Accounts:Guest account status" to "Enabled" on Domain GPO (this setting is
> not work on local GPO), the EnableGuestAccount will be shown with the
> script.
>
> Hope this helps.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
>

As a matter of fact, I'm not sure if I understand this:

> Accounts:Guest account status" to "Enabled" on Domain GPO (this setting is
> not work on local GPO),

Because when I enable Guest account from MMC, the local Guest user is
indeed enabled, meaning my enabling it was effective. But WMI still does
not show the setting. Am I missing something?

> Yes, I can reproduce this problem with the code.
>
> In fact, the rsop (MMC snap-in and WMI class) shows the finally result 
> view
> of the GPOs (domain/OU/Local/etc.) applying. So the problem is if the
> setting (for example the Guest Account Status) are "Not configured" in
> every effective GPO, it will be hidden in the rsop view. The 4 items we
> have retrieved with the script
> (ClearTextPassword/PasswordComplexity/RequireLogonToChangePassword/ForceLogo
> ffWhenHourExpire) are shown with the script is because they are configured
> by the "Default Domain Policy". An evidence is if you run this script on a
> workgroup machine, it will show nothing at all.
>
> So this behavior -- show only 4 items in a domain member machine with
> default setting - is expected.
>
> The other properties are not shown is just because of these setting are 
> not
> configured in any GPO. Can you ensure these settings are configured with
> rsop and/or gpmc?
>
> In my reproduce, if setting the "Computer Configuration -> Windows 
> Settings
> -> Security Settings -> Local Policies ->> Security Options ->
> Accounts:Guest account status" to "Enabled" on Domain GPO (this setting is
> not work on local GPO), the EnableGuestAccount will be shown with the
> script.
>
> Hope this helps.

In some other tests that we did we find that on one Win XP box, 
"PasswordComplexity"
shows different values in different sources:
- disabled and grayed out in MMC
- True in WMI output
- 0 in secedit output

So in this case secedit shows different value than WMI but the same value as 
MMC.
As you can tell, I'm pretty confused now :)

> In fact, the rsop (MMC snap-in and WMI class) shows the finally result 
> view
> of the GPOs (domain/OU/Local/etc.) applying. So the problem is if the
> setting (for example the Guest Account Status) are "Not configured" in
> every effective GPO, it will be hidden in the rsop view. The 4 items we
> have retrieved with the script
> (ClearTextPassword/PasswordComplexity/RequireLogonToChangePassword/ForceLogo
> ffWhenHourExpire) are shown with the script is because they are configured
> by the "Default Domain Policy". An evidence is if you run this script on a
> workgroup machine, it will show nothing at all.

Hi JH,

Sorry, I do not know why but it seems that my reply to you on 17 Apr did not 
show up in the newsgroup. I suspect it may be caused by the attachment in
the reply.

I paste it below for your information:

"
Thanks for your feedback.

The statement "this setting is not work on local GPO" in my last mail is not 
very exactly. Technically speaking,  the items under "Security Settings"
node in "Local Group Policy Editor" (Run "gpedit.msc") is not a real part of 
Local GPO. It's just a combined UI to set "Local Group Policy" and "Local
Security Settings" together. You can see the different between UI of setting 
them in domain GPO and "local GPO". This is the UI for setting domain GPO
(Please note the "Define this policy setting" check box): (see attached 
gp1.jpg)

This is the UI for setting "Local GPO" (It only has 2 states of "Enabled" 
and "Disabled" but cannot be "Not configured"): (see attached gp2.jpg)

So that's the reason of security settings are not reflected in RSoP even you 
set them in local GPO. The settings are effective, but not belong to
any "Group Policy Object". It's a little complicate. Design as this is 
because the local policy and domain group policy are totally different 
things in win2k, and we migrate them together in win2k3.

About the different outputs between MMC/WMI/secedit, you can refer to this 
KB article: http://support.microsoft.com/kb/257922/en-us
"

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

Jeffery,

Thanks for the reply. If I understand you correctly, all RSoP_x WMI settings 
do not
consider local settings? If this is the case, secedit should be the right 
way of retrieving and
modifying these values? Or are there any other ways of doing this?

The link was also helpful.

"Jeffrey Tan[MSFT]"  wrote in message 
news:%23qFAX1EpIHA.2208@TK2MSFTNGP04.phx.gbl...
> The statement "this setting is not work on local GPO" in my last mail is 
> not very exactly. Technically speaking,  the items under "Security 
> Settings"
> node in "Local Group Policy Editor" (Run "gpedit.msc") is not a real part 
> of Local GPO. It's just a combined UI to set "Local Group Policy" and 
> "Local
> Security Settings" together. You can see the different between UI of 
> setting them in domain GPO and "local GPO". This is the UI for setting 
> domain GPO
> (Please note the "Define this policy setting" check box): (see attached 
> gp1.jpg)
>
> This is the UI for setting "Local GPO" (It only has 2 states of "Enabled" 
> and "Disabled" but cannot be "Not configured"): (see attached gp2.jpg)
>
> So that's the reason of security settings are not reflected in RSoP even 
> you set them in local GPO. The settings are effective, but not belong to
> any "Group Policy Object". It's a little complicate. Design as this is 
> because the local policy and domain group policy are totally different 
> things in win2k, and we migrate them together in win2k3.
>
> About the different outputs between MMC/WMI/secedit, you can refer to this 
> KB article: http://support.microsoft.com/kb/257922/en-us

Hi JH,



Thanks for your feedback.



Oh, it seems that our internal support tool missed this reply again.



Yes, I believe the  RSoP_x WMI settings will only account for the group 
security policy instead of the local policy.  Yes, the SECEDIT command-line 
tool should be used to modify the Group Policy immediately. See the KB 
below:

"Using SECEDIT to Force a Group Policy Refresh Immediately"

http://support.microsoft.com/kb/227302


Thanks.



Best regards,

Jeffrey Tan

Microsoft Online Community Support

=========================================

Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.



This posting is provided "AS IS" with no warranties, and confers no rights.


"JH" <jh_ng@newsgroup.nospam> wrote in message 
news:enjT7%23KpIHA.4904@TK2MSFTNGP03.phx.gbl...
> Jeffery,
>
> Thanks for the reply. If I understand you correctly, all RSoP_x WMI 
> settings do not
> consider local settings? If this is the case, secedit should be the right 
> way of retrieving and
> modifying these values? Or are there any other ways of doing this?
>
> The link was also helpful.
>
> "Jeffrey Tan[MSFT]"  wrote in message 
> news:%23qFAX1EpIHA.2208@TK2MSFTNGP04.phx.gbl...
>> The statement "this setting is not work on local GPO" in my last mail is 
>> not very exactly. Technically speaking,  the items under "Security 
>> Settings"
>> node in "Local Group Policy Editor" (Run "gpedit.msc") is not a real part 
>> of Local GPO. It's just a combined UI to set "Local Group Policy" and 
>> "Local
>> Security Settings" together. You can see the different between UI of 
>> setting them in domain GPO and "local GPO". This is the UI for setting 
>> domain GPO
>> (Please note the "Define this policy setting" check box): (see attached 
>> gp1.jpg)
>>
>> This is the UI for setting "Local GPO" (It only has 2 states of "Enabled" 
>> and "Disabled" but cannot be "Not configured"): (see attached gp2.jpg)
>>
>> So that's the reason of security settings are not reflected in RSoP even 
>> you set them in local GPO. The settings are effective, but not belong to
>> any "Group Policy Object". It's a little complicate. Design as this is 
>> because the local policy and domain group policy are totally different 
>> things in win2k, and we migrate them together in win2k3.
>>
>> About the different outputs between MMC/WMI/secedit, you can refer to 
>> this KB article: http://support.microsoft.com/kb/257922/en-us
>
>

Thanks. This means there is no programming interface to get those settings.

secedit fails to export any settings on Windows XP, w/o a patch. This makes
things even less convenient.

> Yes, I believe the  RSoP_x WMI settings will only account for the group 
> security policy instead of the local policy.  Yes, the SECEDIT 
> command-line tool should be used to modify the Group Policy immediately. 
> See the KB below:
>
> "Using SECEDIT to Force a Group Policy Refresh Immediately"
>
> http://support.microsoft.com/kb/227302

Hi JH,

Thanks for your feedback.

Yes, as I know, the secedit tool uses the Sce*** APIs exported by 
SCECLI.DLL to perform all the work. However, these APIs are all 
undocumented. Can you automate the secedit tool and parse its output in 
your application ? 

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

Parsing secedit output - yes, this is what we are doing. It won't work on
Windows XP without a secedit patch. Most Windows XP machines
don't really have that hotfix installed.

> Yes, as I know, the secedit tool uses the Sce*** APIs exported by
> SCECLI.DLL to perform all the work. However, these APIs are all
> undocumented. Can you automate the secedit tool and parse its output in
> your application ?

Hi JH,

Thanks for your feedback.

Yes, I understand this pain. I will try to contact our security team again 
to confirm if there is any way to get the function of secedit 
programmatically. I will get back to you ASAP. 

Thanks for your patient. 

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi JH,

Sorry for letting you wait. I still did not get any response from our 
security team yet. 

I assume there is no documented programming solution for it yet. If you 
really want to get an official solution, you may have to contact Microsoft 
CSS for a phone case support. They have the official channel to get 
confirmation from the security team. 

You can contact Microsoft Product Support directly to discuss additional 
support options you may have available, by contacting us at 1-(800)936-5800 
or by choosing one of the options listed at: 
http://www.microsoft.com/services/microsoftservices/srv_support.mspx

As a workaround, you may also include the hotfix in your setup project to 
get secedit on the deployed machine. Then, you can parse the secedit 
output. 

Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and 
suggestions about how we can improve the support we provide to you. Please 
feel free to let my manager know what you think of the level of service 
provided. You can send feedback directly to my manager at: 
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.