How can I stop a Windows 2000 upgrade overwriting special security settings?

When an NT installation is upgraded to Windows 2000 security defined in one of the following templates

• dwup.inf for Windows 2000 professional upgrades
• dsup.inf for Windows 2000 server upgrades

To stop these files overwriting your custom security settings you need to edit the files which means you need the files on a central/local writable form for the upgrade:

1. Copy the appropriate template file (Dwup.inf for Professional or Dsup.inf for server) from your Windows 2000 distribution share into the %WinDir%\Security\Templates folder on your local computer. It may be in unexpanded from in the I386 folder so you may need to expand it:
   D:\I386>expand dwup.in_ dwup.inf
Microsoft (R) File Expansion Utility Version 5.00.2134.1
Copyright (C) Microsoft Corp 1990-1999. All rights reserved.

Expanding dwup.in_ to dwup.inf.
dwup.in_: 17285 bytes expanded to 252850 bytes, 1362% increase.

D:\I386>copy dwup.inf %windir%\security\templates
1 file(s) copied.
2. Start Microsoft Management Console (Start - Run - MMC).
3. From the Console menu select Add/Remove Snap-in, click Add, click Security Templates, click Add, click Close, and then click OK.
4. Expand the Security Templates root, then the templates folder. You will see your copied template, e.g. dwup.inf
5. Click the security area that you want to modify (Registry or File System).
6. In the result pane, a list of all of the registry keys or file system objects configured by the default upgrade template is displayed. Determine whether or not the object you want the upgrade to ignore is explicitly configured by the template, and then use one of the following:
   
   If the object you want the upgrade to ignore is not explicitly configured by the upgrade template, you must add it using the following steps: 
   
   1. Right-click Registry or File System, and then click Add Key or Add File.
   2. Browse the dialog box to select the key or file system object you want to protect (for example, Machine\Software\DelOld). If the key, folder, or file does not exist on your computer, you can type the path to the object in the available box.
   3. Click OK to start the Access Control List (ACL) editor.
   4. Click OK again to accept the default security provided by the ACL editor.
   5. Click Do not allow permissions on this key\file to be replaced.
   6. Click OK to add the object to the template, and then go to step 7.
   
   If the object you want the upgrade to ignore is already explicitly configured in the upgrade template, modify it using the following steps: 
   
   1. In the result pane, double-click the object you want to protect.
   2. Click Do not allow permissions on this key\file to be replaced, click OK, and then go to step 7.
   In the result pane, the object you want the upgrade to ignore should now be listed with the Ignore property listed under both the permission and audit columns. Right-click the name of the template, and then click Save.
7. Copy the modified template back to the distribution share. If you had to uncompress the file recompact the file before copying back to the distribution share:
   F:\WINNT\security\templates>compress dwup.inf dwup.in_
Microsoft (R) File Compression Utility Version 5.00.2134.1
Copyright (C) Microsoft Corp. 1990-1999. All rights reserved.

Compressing dwup.inf to dwup.in_.
dwup.inf: 251177 bytes compressed to 46002 bytes, 82% savings.

http//www.softheap.com