Security templates are powerful and important for ensuring that clients, servers, and domain controllers are secured properly within the domain. Security templates cover a lot of security areas. However, it is also important to understand how security templates overlap with GPOs so you know which custom settings are possible and where they will show up in the GPOs.

A typical security template covers more than 10 security-related areas, with hundreds of potential policy settings. A standard GPO contains well over 100 areas that can be configured, and more than 1000 individual policy settings. The big question is, where do security templates and GPOs overlap?

Security templates only affect computer accounts, so you can start by ruling out all of the policy settings that affect user accounts, which are all located under the User Configuration node in a GPO. You saw in Chapter 14 that the Administrative Templates nodes for both computer and user accounts are created using .adm files. Therefore, you can also rule out these policy settings. It is rather obvious that security templates are not related to software settings or scripts, so these areas can be ruled out, too.

After ruling out what the security templates don’t configure within a GPO, you are left with the Security Settings node under the Computer ConfigurationWindows Settings path in a standard GPO, as shown in Figure 15-8.

Figure 15-8. The Security Settings node in a GPO

When you compare this structure to that shown in Figure 15-1, you can quickly see the similarities. However, some security areas included in the GPO are not supported by the security template. These areas include the following:

These areas also fall outside the scope of security templates, but they are located in the Security Settings section of a GPO where security templates take effect.