|
Help for Windows NT 4.0 Administrators
|
bet | 15/16 | Sana | 26.12.2019 | Hajmi | 4,15 Mb. | | #5115 |
This section provides information to help administrators who have been using User Manager to configure security policies in the past move to the new model of Group Policy for editing and configuring security policies.
Changing Password Policy for the Domain
To change password policy for the domain, open the Default Domain GPO from the Administrative Tools menu:
Click Start, point to Programs, click Administrative Tools, and then click Domain Security Policy.
In the Domain Security Policy console, expand Security Settings, expand Account Policies, expand Password Policy, and then select the policy you want to modify in the results pane. You can then make changes.
Changing Auditing Policy or User Rights for Domain Controllers
To change the Audit policies or User Rights defined for domain controllers, open the Default Domain Controllers GPO from the Administrative Tools menu:
Click Start, point to Programs, click Administrative Tools, and then click Domain Controller Security Policy.
In the Domain Controller Security Policy console, expand Security Settings, expand Local Policies, click either Audit Policy or User Rights Assignment, and then select the policy you want to modify in the results pane.
Changing local Password Policy on member Workstations or Servers (Non-Domain Controllers)
Because the Default Domain Policy GPO applies to all computers in the domain and because domain-level policies override local policy settings, member workstations and servers apply the Default Domain password policy settings to their local account databases by default. If this does not meet your requirements, then the permissions on the Default Domain GPO have to be reconfigured so that member computers that you do not want to receive this policy do not have the Apply Group Policy permission on the Default Domain GPO. After the permissions are configured so that the member computer does not have access to the default domain policy, local policy settings will no longer be overridden by the password policy settings defined in the Default Domain GPO.
To modify Local Password Policy security settings using the Local Security Policy UI:
Click Start, point to Programs, click Administrative Tools, and then click Local Security Policy.
In the Local Security Settings console, expand Security Settings, expand Account Policies, click Password Policy, and then select in the results pane the policy you want to edit.
Frequently Asked Questions about Security Settings Is it possible to define different account policies (Password, Lockout, or Kerberos Policies) for different OUs?
No. All domain controllers for a domain enforce the account policies that are defined in the Default Domain Policy. Domain controllers ignore password, lockout, or Kerberos policies defined at an OU or LGPO level.
After modifying a local security setting, the change does not take effect. What is happening?
The Group Policy model specifies that any policies configured locally may be overridden by like policies specified in the domain. The Local Security Settings UI lists the local security setting and the effective security setting for each policy item. (You can access the Local Security Settings UI by clicking Start, pointing to Programs, clicking Administrative Tools, and selecting Local Security Policy). If the effective security setting is different from the local security setting, it implies that there is a policy from the domain that is overriding your setting.
After modifying a domain-level-policy security setting, the change does not take effect. What is happening?
The Group Policy model applies domain-level policy changes periodically; therefore, it is likely that the policy changes made in the directory have not been made to your computer yet. To trigger a policy propagation on a local computer, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY
This will cause any changes made to domain-level policies to be applied to the local computer. To force a reapplication of policy to domain level policies, regardless of whether there has been a change or not, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY /enforce
You can determine whether or not security was applied successfully by viewing the Application Event Log. If an error occurred during the process of applying security policy, you can get detailed information by setting the following REG_DWORD to 0x02:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel
When this value is set, the Security Configuration Engine (SCE) will log policy-processing information in the Winlogon.log file at %windir%\Security\Logs\Winlogon.log.
What is the Add Workstation to Domain Logon right, and how does it relate to delegating similar permissions on the directory?
The Add Workstation to Domain user right is supported for applications that use downlevel SAM (Security Accounts Manager) NET APIs to create computer accounts. Users that have this right are allowed to create 10 computer accounts in the Active Directory Computers container using these down-level APIs. When a user creates a computer account using this user right, the Domain Administrators group becomes the owner of the computer object. Note that this right is not recognized when LDAP is used to create computer accounts.
In Windows 2000, the recommended way to allow a user or group to create computer accounts is by granting that user or group the permission to Create Computer Objects on the desired container. This can be accomplished in the Active Directory Users and Computers snap-in via the Delegation Wizard or through the Security tab on the Properties page of the container. When a computer account is created using access control permissions, the actual creator of the object becomes the owner of that object.
Note: The create-computer-object permission should not be granted indiscriminately. Allowing users to create computers in the domain is similar to allowing users to create user accounts in the domain. Unlike Windows NT 4.0, Windows 2000 computer objects can be used to do network authentication and, hence, to access resources over the network. Users that have access permissions to create computer objects are also not subject to any quota restrictions. That is, they can create any number of computer accounts.
The best security practice would be to grant only trusted users (by using a group) the permission to create computer objects. At the time the computer object is created, the creator can define which users are allowed to use that computer object to join their physical computer to the domain.
For more information on security, see the following:
The Security white papers in the Windows 2000 Technical Library Web site (at http://www.microsoft.com/eindows2000/library/howitworks/default.asp)
The Planning Distributed Security section of the Windows 2000 Server Resource Kit Deployment Planning Guide at http://www.microsoft.com/windows2000/library/resources/reskit/dpg/default.asp
Windows 2000 Server online Help at http://windows.microsoft.com/windows2000/en/server/help.
Appendix B: Group Policy Settings for Internet Explorer
This section lists the Group Policy settings available for Internet Explorer Maintenance.
Specifying Policy Settings for Internet Explorer Maintenance
The following table lists the available policy settings for Internet Explorer Maintenance under User Configuration\Windows Settings.
Policy settings under
User Configuration\Windows Settings\Internet Explorer Maintenance
|
Description
|
\Browser User Interface
|
|
Browser Title
|
Used to customize the text that appears in the title bar of the Internet Explorer Web browser and Outlook Express. The text that you type will be added after the text "Microsoft Internet Explorer Provided by" or "Outlook Express Provided by."
|
Animated Bitmaps
|
Used to customize the logo in the upper right corner of Internet Explorer. The logo appears in two states: animated when the browser is in use, and static when no action is taking place.
|
Custom Logo
|
Used to customize the Internet Explorer static logo. This bitmap appears when no action is taking place in the browser. To use a custom static logo, you must provide two bitmaps; one should be 22-by-22 pixels and the other 38-by-38 pixels.
|
Browser Toolbar Buttons
|
Used to customize the toolbar buttons in the user's browser. You can specify the script or program that the buttons launch, as well as their appearance.
|
\Connection
|
|
Connection Settings
|
Used to preset connection settings for users by importing the connection settings from your computer (the administrator’s).
|
Automatic Browser Configuration
|
Used to assign URLs to files that will automatically configure Internet Explorer. This feature is useful if you want to control the settings of several users from one central location. You can configure options by using .ins files, also known as IEAK profiles. Using .ins files, you can include standard proxy settings. You can also specify script files in .js, .jvs, or .pac format that enable you to configure and maintain advanced proxy settings.
|
Proxy Settings
|
Used to specify which proxy servers users can connect to.
|
User Agent String
|
Site statistics, such as how many times, and by which types of Web browsers, Web content is accessed, can be tracked with a user agent string, which provides information to the Web server about the users' Web browsers. You can use this policy setting to customize a portion of the user agent string.
|
\URLs
|
|
Favorites and Links
|
Used to customize the Favorites folder and Links bar in Internet Explorer by adding links to sites related to your company or services.
|
Important URLs
|
Used to specify URLs for the home, search, and online support pages for Internet Explorer.
|
Channels
|
Used to add a custom channel or channel category (folder) to Internet Explorer.
|
Policy settings under
User Configuration\Windows Settings\Internet Explorer Maintenance
|
Description
|
\Security
|
|
Security Zones and Content Ratings
|
Used to manage security zones and content ratings for Internet Explorer. You can customize the settings for each security zone. Through content ratings, you can prevent users from viewing content that may be considered offensive.
|
Authenticode Settings
|
Authenticode® technology can be used to help manage Internet Explorer security. Authenticode is used to designate software publishers and credentials agencies as trustworthy.
|
\Programs
|
|
Programs
|
Used to import the administrator’s default program settings, such as which programs are the default for e-mail and for editing HTML files. These settings are located on the Programs tab of the Internet Options dialog box.
| Specifying Policy Settings for Internet Explorer
The following table lists the policy settings available for Internet Explorer under Computer Configuration\Administrative Templates\Windows Components.
Policy setting under
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
Security Zones: Use only machine settings
|
Applies security zone settings to all users of the same computer. Security zones are groups of Web sites with the same level of security.
|
Security Zones: Do not allow users to change policies
|
Prevents users from changing security zone settings.
|
Security Zones: Do not allow users to add/delete sites
|
Prevents users from adding or removing sites from security zones.
The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) removes the Security tab from the interface, and takes precedence over this policy. If Disable the Security page is enabled, this policy is ignored.
|
Make proxy settings per-machine (rather than per-user)
|
Applies proxy settings to all users of the same computer.
|
Disable Automatic Install of Internet Explorer components
|
Prevents Internet Explorer from automatically installing components.
|
Disable Periodic Check for Internet Explorer software updates
|
Prevents Internet Explorer from determining if a new version of the browser is available.
|
Disable software update shell notifications on program launch
|
Specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new components. The Software Distribution Channel is a means of updating software dynamically on users' computers by using Open Software Distribution (.osd) technologies.
|
Disable showing the splash screen
|
Prevents the Internet Explorer splash screen from appearing when users start the browser.
|
The following table lists the policy settings available for Internet Explorer under User Configuration\Administrative Templates\Windows Components.
Policy setting under
User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
Search: Disable Search Customization
|
Makes the Customize button in the Search Assistant page appear dimmed.
|
Search: Disable Find Files via F3 within the browser
|
Disables use of the F3 key to search in Internet Explorer and Windows Explorer.
|
Disable external branding of Internet Explorer
|
Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Express logos and title bars, by a third party.
|
Disable importing and exporting of favorites
|
Prevents users from exporting or importing favorite links by using the Import/Export wizard.
|
Disable changing Advanced page settings
|
Prevents users from changing settings on the Advanced tab in the Internet Options dialog box.
|
Disable changing home page settings
|
Prevents users from changing the home page of the browser. The home page is the first page that is displayed when users start the browser.
|
Use Automatic Detection for dial-up connections
|
Specifies that Automatic Detection will be used to configure dial-up settings for users.
|
Disable caching of Auto-Proxy scripts
|
Prevents automatic proxy scripts, which interact with a server to automatically configure users' proxy settings, from being stored in the users' cache.
|
Display error message on proxy script download failure
|
Specifies that error messages be displayed if problems occur with the proxy script.
|
Disable changing Temporary Internet files settings
|
Prevents users from changing the browser cache settings, such as the location and amount of disk space to use for the Temporary Internet Files folder.
|
Disable changing history settings
|
Prevents users from changing the history settings for the browser
|
Disable changing color settings
|
Prevents users from changing the default Web page colors.
|
Disable changing link color settings
|
Prevents users from changing the colors of links on Web pages.
|
Disable changing font settings
|
Prevents users from changing font settings.
|
Disable changing language settings
|
Prevents users from changing settings for language.
|
Disable changing accessibility settings
|
Prevents users from changing accessibility settings.
|
Disable Internet Connection wizard
|
Prevents users from running the Internet Connection wizard.
|
Disable changing connection settings
|
Prevents users from changing settings for dial-up connections.
|
Disable changing proxy settings
|
Prevents users from changing proxy settings.
|
Disable changing Automatic Configuration settings
|
Prevents users from changing settings for automatic configuration, a process that administrators can use to update browser settings periodically.
|
Disable changing ratings settings
|
Prevents users from changing ratings, which help control the type of Internet content that can be viewed.
|
Disable changing certificate settings
|
Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software publishers
|
Policy setting under
User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
Disable changing Profile Assistant settings
|
Prevents users from changing settings for the Profile Assistant. (The My Profile button is accessed by clicking Internet Options on the Tools menu, and then clicking the Content tab in the Internet Options dialog box).
|
Disable AutoComplete for forms
|
Prevents Internet Explorer from automatically completing forms, such as filling in a name or a password that the user has entered previously on a Web page.
|
Do not allow AutoComplete to save passwords
|
Disables automatic completion of user names and passwords in forms on Web pages, and prevents users from being prompted to save passwords.
|
Disable changing Messaging settings
|
Prevents users from changing the default programs for messaging tasks.
|
Disable changing Calendar and Contact settings
|
Prevents users from changing the default programs for managing schedules and contacts
|
Disable the Reset Web Settings feature
|
Prevents users from restoring default settings for home and search pages.
|
Disable changing default browser check
|
Prevents Internet Explorer from checking to determine if it is the default browser.
|
Identity Manager: Prevent users from using Identities
|
Prevents users from configuring unique identities by using Identity Manager, which enables users to create multiple accounts, such as e-mail accounts, on the same computer. Each user has a unique identity, with a different password and different program preferences.
|
\Internet Control Panel
|
|
Disable the General page
|
Removes the General tab from the interface in the Internet Options dialog box.
|
Disable the Security page
|
Removes the Security tab from the interface in the Internet Options dialog box.
|
Disable the Content page
|
Removes the Content tab from the interface in the Internet Options dialog box.
|
Disable the Connections page
|
Removes the Connections tab from the interface in the Internet Options dialog box.
|
Disable the Programs page
|
Removes the Programs tab from the interface in the Internet Options dialog box.
|
Disable the Advanced page
|
Removes the Advanced tab from the interface in the Internet Options dialog box.
|
\Offline Pages
|
|
Disable adding channels
|
Prevents users from adding channels to Internet Explorer.
|
Disable removing channels
|
Prevents users from disabling channel synchronization in Internet Explorer.
|
Disable adding schedules for offline pages
|
Prevents users from specifying that Web pages can be downloaded for viewing offline. Making Web pages available for offline viewing allows users to view the Web pages’ content when their computer is not connected to the Internet.
|
Disable editing schedules for offline pages
|
Prevents users from editing an existing schedule for downloading Web pages for offline viewing.
|
Disable removing schedules for offline pages
|
Prevents users from clearing the pre-configured settings for Web pages to be downloaded for offline viewing.
|
Disable offline page hit logging
|
Prevents channel providers from recording information about when their channel pages are viewed by users who are working offline.
|
Disable all scheduled offline pages
|
Disables existing schedules for downloading Web pages for offline viewing.
|
Policy setting under
User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
\Offline Pages
|
|
Disable channel user interface completely
|
Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically updated on the users’ computers according to a schedule specified by the channel provider.
|
Disable downloading of site subscription content
|
Prevents content from being downloaded from Web sites to which users have subscribed.
|
Disable editing and creating of schedule groups
|
Prevents users from adding, editing, or removing schedules for offline viewing of Web pages and groups of Web pages to which users have subscribed.
|
Subscription Limits
|
Restricts the amount of information downloaded for offline viewing. You can set limits for the size and number of pages that users can download.
|
\Browser menus
|
|
File menu: Disable Save As…menu option
|
Prevents users from saving Web pages from the browser File menu to their hard disk or to a network share.
|
File menu: Disable New menu option
|
Prevents users from opening a new browser window from the File menu.
|
File menu: Disable Open menu option
|
Prevents users from opening a file or Web page from the File menu in Internet Explorer.
|
File menu: Disable Save As Web Page Complete
|
Prevents users from saving the entire contents that are displayed on or run from a Web page, including the graphics, scripts, linked files, and other elements. It does not prevent users from saving the text of a Web page.
|
File menu: Disable closing the browser and Explorer windows
|
Prevents users from closing Internet Explorer and Windows Explorer.
|
View menu: Disable Source menu option
|
Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu.
|
View menu: Disable Full Screen menu option
|
Prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.
|
Hide Favorites menu
|
Prevents users from adding, removing, or editing the list of Favorite links.
|
Tools menu: Disable Internet Options…menu option
|
Prevents users from opening the Internet Options dialog box from the Tools menu in Internet Explorer.
|
Help menu: Remove 'Tip of the Day' menu option
|
Prevents users from viewing or changing the Tip of the Day interface in Internet Explorer.
|
Help menu: Remove 'For Netscape Users' menu option
|
Prevents users from displaying tips for users who are switching from Netscape.
|
Help menu: Remove 'Tour' menu option
|
Prevents users from running the Internet Explorer Tour option from the Help menu in Internet Explorer.
|
Help menu: Remove 'Send Feedback' menu option
|
Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu.
|
Disable Context menu
|
Prevents the shortcut menu from appearing when users click the right mouse button while using the browser.
|
Policy setting under
User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
\Browser
|
|
Disable Open in New Window menu option
|
Prevents users from using the shortcut menu to open a link in a new browser window; users cannot point to a link, right-click, and select the Open in New Window command.
|
Disable Save this program to disk option
|
Prevents users from saving a program or file that Internet Explorer has downloaded to the hard disk.
|
\Toolbars
|
|
Disable customizing browser toolbar buttons
|
Prevents users from specifying which buttons appear on the Internet Explorer and Windows Explorer standard toolbars.
|
Disable customizing browser toolbars
|
Prevents users from specifying which toolbars are displayed in Internet Explorer and Windows Explorer.
|
Configure Toolbar Buttons
|
Used to specify which buttons are displayed on the standard toolbar in Internet Explorer.
|
\Persistence Behavior
|
|
File size limits for Local Machine zone
|
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Computer security zone.
|
File size limits for Intranet zone
|
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Intranet security zone.
|
File size limits for Trusted Sites zone
|
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Trusted Sites security zone.
|
File size limits for Internet zone
|
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Internet security zone.
|
File size limits for Restricted Sites zone
|
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Restricted Sites security zone.
|
\Administrator Approved Controls
|
|
Media Player
|
Designates the Media Player ActiveX control as administrator approved. Media Player is used to play sounds, videos, and other media.
|
Menu Controls
|
Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator approved.
|
Microsoft Agent
|
Designates the Microsoft Agent ActiveX control as administrator approved. Microsoft Agent is a set of software services that supports the presentation of software agents as interactive personalities within the Microsoft Windows interface.
|
Microsoft Chat
|
Designates the Microsoft Chat ActiveX control as administrator approved. Web authors use this control to build text- and graphical-based Chat communities for real-time conversations on the Web.
|
Microsoft Survey Control
|
|
Shockwave Flash
|
|
NetShow File Transfer Control
|
|
Policy setting under
User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Description
|
\Administrator Approved Controls
|
|
DHTML Edit Control
|
|
Microsoft Scriptlet Component
|
|
Carpoint
|
Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator approved. This control enables pricing functionality on the Carpoint Web site, where users can shop for and obtain information about vehicles.
|
Investor
|
Designates a set of Microsoft Network (MSN) Investor controls as administrator approved. These controls allow users to view updated lists of stocks on their Web pages.
|
MSNBC
|
Designates a set of MSNBC controls as administrator approved. These controls enable enhanced browsing of news reports on the MSNBC Web site.
|
|
| |