Compatible Template (compatws.inf)

By Author: Mike Jones
Total Articles: 256

Default permissions for workstations and mcse 2003 certification servers are primarily granted to three local groups: Administrators, Power Users, and Users. Administrators have the most privileges while Users have the least. Members of the Users group can successfully run applications that take part in the Windows Logo program for software, but may not be able to run applications that are not certified. If noncertified applications must be supported for members of the Users group, there are two options:
Allow members of the Users group to be members of the Power Users group.
Relax the default restrictions granted to the Users group.
Because Power Users can create users, groups, printers, and shares, some administrators would rather relax the default permissions granted to the Users group than allow members of the Users group to be members of the Power Users group. The Compatible template changes the default file and registry permissions granted to the Users group so that these members can use most noncertified applications. The Compatible template also removes all users and groups from the Power Users group, assuming that the administrator applying the Compatible template does not want end users to be Power Users.
Note Do not apply the Compatible template to domain controllers, including by mcitp enterprise administrator importing the Compatible template to the Default Domain GPO or the Default Domain Controller GPO.
Highly Secure Templates (Hisecws.inf and Hisecdc.inf)
The highly secure templates define security settings for Windows Server 2003 network communications, imposing restrictions on the levels of encryption and signing that are required for authentication and for the data that flows over secure channels and between server message block (8MB) clients and servers. These templates shut down NTLM communication and allow communication only with clients running NTLM version 2 or Kerberos. Clients that do not support NTLM version 2 include Microsoft Windows for Workgroups, Windows NT clients prior to Service Pack 4, and Microsoft Windows 95 and Microsoft Windows 98 platforms that do not have the Directory Services (DS) Client Pack installed. Microsoft Windows Me and Windows XP Professional support NTLM version 2 without additional modification.
You can import (apply) a security template file to a local or nonlocal GPO. Any computer or user accounts in the site, domain, or OU to which the GPO is applied receives the security template settings. Importing a security template to a GPO eases domain administration by Comptia security+ configuring security for multiple computers at once.