Predefined Policies
|
Policy |
Usage |
|---|---|
|
Password Policy |
name: "Enforce password history" value: POLICY_DWORD
name: "Maximum password age" value: TIME_DAY
name: "Minimum password age" value: TIME_DAY
name: "Minimum password length" value: POLICY_DWORD
name: "Password must meet complexity requirements" value: POLICY_SET |
|
Account Lockout Policy |
name: "Account lockout duration" value: TIME_MINUTE or name: "Account lockout duration" value: TIME_SECOND
name: "Account lockout threshold" value: POLICY_DWORD
name: "Reset lockout account counter after" value: TIME_MINUTE
name: "Enforce user logon restrictions" value: POLICY_SET |
|
Kerberos Policy |
name: "Maximum lifetime for service ticket" value: TIME_MINUTE
name: "Maximum lifetime for user ticket" value: TIME_HOUR
name: "Maximum lifetime for user renewal ticket" value: TIME_DAY
name: "Maximum tolerance for computer clock synchronization" value: TIME_MINUTE |
|
Audit Policy |
name: "Audit account logon events" value: AUDIT_SET
name: "Audit account management" value: AUDIT_SET
name: "Audit directory service access" value: AUDIT_SET
name: "Audit logon events" value: AUDIT_SET
name: "Audit object access" value: AUDIT_SET
name: "Audit policy change" value: AUDIT_SET
name: "Audit privilege use" value: AUDIT_SET
name: "Audit process tracking" value: AUDIT_SET
name: "Audit system events" value: AUDIT_SET |
|
Accounts |
name: "Accounts: Administrator account status" value: POLICY_SET
name: "Accounts: Guest account status" value: POLICY_SET
name: "Accounts: Limit local account use of blank password to console logon only" value: POLICY_SET
name: "Accounts: Rename administrator account" value: POLICY_TEXT
name: "Accounts: Rename guest account" value: POLICY_TEXT |
|
Audit |
name: "Audit: Audit the access of global system objects" value: POLICY_SET
name: "Audit: Audit the use of Backup and Restore privilege" value: POLICY_SET
name: "Audit: Shut down system immediately if unable to log security audits" value: POLICY_SET |
|
DCOM |
name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" value: POLICY_TEXT
name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" value: POLICY_TEXT |
|
Devices |
name: "Devices: Allow undock without having to log on" value: POLICY_SET
name: "Devices: Allowed to format and eject removable media" value: DASD_SET
name: "Devices: Prevent users from installing printer drivers" value: POLICY_SET
name: "Devices: Restrict CD-ROM access to locally logged-on user only" value: POLICY_SET
name: "Devices: Restrict floppy access to locally logged-on user only" value: POLICY_SET
name: "Devices: Unsigned driver installation behavior" value: DRIVER_SET |
|
Domain Controller |
name: "Domain controller: Allow server operators to schedule tasks" value: POLICY_SET
name: "Domain controller: LDAP server signing requirements" value: LDAP_SET
name: "Domain controller: Refuse machine account password changes" value: POLICY_SET |
|
Domain Member |
name: "Domain member: Digitally encrypt or sign secure channel data (always)" value: POLICY_SET
name: "Domain member: Digitally encrypt secure channel data (when possible)" value: POLICY_SET
name: "Domain member: Digitally sign secure channel data (when possible)" value: POLICY_SET
name: "Domain member: Disable machine account password changes" value: POLICY_SET
name: "Domain member: Maximum machine account password age" value: POLICY_DAY
name: "Domain member: Require strong (Windows 2000 or later) session key" value: POLICY_SET |
|
Interactive Logon |
name: "Interactive logon: Display user information when the session is locked" value: LOCKEDID_SET
name: "Interactive logon: Do not display last user name" value: POLICY_SET
name: "Interactive logon: Do not require CTRL+ALT+DEL" value: POLICY_SET
name: "Interactive logon: Message text for users attempting to log on" value: POLICY_TEXT
name: "Interactive logon: Message title for users attempting to log on" value: POLICY_TEXT
name: "Interactive logon: Number of previous log-ons to cache (in case domain controller is not available)" value: POLICY_DWORD
name: "Interactive logon: Prompt user to change password before expiration" value: POLICY_DWORD
name: "Interactive logon: Require Domain Controller authentication to unlock workstation" value: POLICY_SET
name: "Interactive logon: Require smart card" value: POLICY_SET
name: "Interactive logon: Smart card removal behavior" value: SMARTCARD_SET |
|
Microsoft Network Client |
name: "Microsoft network client: Digitally sign communications (always)" value: POLICY_SET
name: "Microsoft network client: Digitally sign communications (if server agrees)" value: POLICY_SET
name: "Microsoft network client: Send unencrypted password to third-party SMB servers" value: POLICY_SET |
|
Microsoft Network Server |
name: "Microsoft network server: Amount of idle time required before suspending session" value: POLICY_DWORD
name: "Microsoft network server: Digitally sign communications (always)" value: POLICY_SET
name: "Microsoft network server: Digitally sign communications (if client agrees)" value: POLICY_SET
name: "Microsoft network server: Disconnect clients when logon hours expire" value: POLICY_SET |
|
Network Access |
name: "Network access: Allow anonymous SID/Name translation" value: POLICY_SET
name: "Network access: Do not allow anonymous enumeration of SAM accounts" value: POLICY_SET
name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" value: POLICY_SET
name: "Network access: Do not allow storage of credentials or .NET Passports for network authentication" value: POLICY_SET
name: "Network access: Let Everyone permissions apply to anonymous users" value: POLICY_SET
name: "Network access: Named Pipes that can be accessed anonymously" value: POLICY_MULTI_TEXT
name: "Network access: Remotely accessible registry paths and sub-paths" value: POLICY_MULTI_TEXT
name: "Network access: Remotely accessible registry paths" value: POLICY_MULTI_TEXT
name: "Network access: Restrict anonymous access to Named Pipes and Shares" value: POLICY_SET
name: "Network access: Shares that can be accessed anonymously" value: POLICY_MULTI_TEXT
name: "Network access: Sharing and security model for local accounts" value: LOCALACCOUNT_SET |
|
Network Security |
name: "Network security: Do not store LAN Manager hash value on next password change" value: POLICY_SET
name: "Network security: Force log off when logon hours expire" value: POLICY_SET
name: "Network security: LAN Manager authentication level" value: LANMAN_SET
name: "Network security: LDAP client signing requirements" value: LDAPCLIENT_SET
name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" value: NTLMSSP_SET
name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" value: NTLMSSP_SET |
|
Recovery Console |
name: "Recovery console: Allow automatic administrative logon" value: POLICY_SET
name: "Recovery console: Allow floppy copy and access to all drives and all folders" value: POLICY_SET |
|
Shutdown |
name: "Shutdown: Allow system to be shut down without having to log on" value: POLICY_SET
name: "Shutdown: Clear virtual memory pagefile" value: POLICY_SET |
|
System Cryptography |
name: "System cryptography: Force strong key protection for user keys stored on the computer" value: CRYPTO_SET
name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" value: POLICY_SET |
|
System Objects |
name: "System objects: Default owner for objects created by members of the Administrators group" value: OBJECT_SET
name: "System objects: Require case insensitivity for non-Windows subsystems" value: POLICY_SET
name: "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" value: POLICY_SET |
|
System Settings |
name: "System settings: Optional subsystems" value: POLICY_MULTI_TEXT
name: "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" value: POLICY_SET |
|
Event Log |
name: "Maximum application log size" value: POLICY_KBYTE
name: "Maximum security log size" value: POLICY_KBYTE
name: "Maximum system log size" value: POLICY_KBYTE
name: "Prevent local guests group from accessing application log" value: POLICY_SET
name: "Prevent local guests group from accessing security log" value: POLICY_SET
name: "Prevent local guests group from accessing system log" value: POLICY_SET
name: "Retain application log" value: POLICY_DAY
name: "Retain security log" value: POLICY_DAY
name: "Retain system log" value: POLICY_DAY
name: "Retention method for application log" value: EVENT_METHOD
name: "Retention method for security log" value: EVENT_METHOD
name: "Retention method for system log" value: EVENT_METHOD |