Predefined Policies

Policy

Usage

Password Policy

name: "Enforce password history"

value: POLICY_DWORD

 

name: "Maximum password age"

value: TIME_DAY

 

name: "Minimum password age"

value: TIME_DAY

 

name: "Minimum password length"

value: POLICY_DWORD

 

name: "Password must meet complexity requirements"

value: POLICY_SET

Account Lockout Policy

name: "Account lockout duration"

value: TIME_MINUTE

or

name: "Account lockout duration"

value: TIME_SECOND

 

name: "Account lockout threshold"

value: POLICY_DWORD

 

name: "Reset lockout account counter after"

value: TIME_MINUTE

 

name: "Enforce user logon restrictions"

value: POLICY_SET

Kerberos Policy

name: "Maximum lifetime for service ticket"

value: TIME_MINUTE

 

name: "Maximum lifetime for user ticket"

value: TIME_HOUR

 

name: "Maximum lifetime for user renewal ticket"

value: TIME_DAY

 

name: "Maximum tolerance for computer clock synchronization"

value: TIME_MINUTE

Audit Policy

name: "Audit account logon events"

value: AUDIT_SET

 

name: "Audit account management"

value: AUDIT_SET

 

name: "Audit directory service access"

value: AUDIT_SET

 

name: "Audit logon events"

value: AUDIT_SET

 

name: "Audit object access"

value: AUDIT_SET

 

name: "Audit policy change"

value: AUDIT_SET

 

name: "Audit privilege use"

value: AUDIT_SET

 

name: "Audit process tracking"

value: AUDIT_SET

 

name: "Audit system events"

value: AUDIT_SET

Accounts

name: "Accounts: Administrator account status"

value: POLICY_SET

 

name: "Accounts: Guest account status"

value: POLICY_SET

 

name: "Accounts: Limit local account use of blank password to console logon only"

value: POLICY_SET

 

name: "Accounts: Rename administrator account"

value: POLICY_TEXT

 

name: "Accounts: Rename guest account"

value: POLICY_TEXT

Audit

name: "Audit: Audit the access of global system objects"

value: POLICY_SET

 

name: "Audit: Audit the use of Backup and Restore privilege"

value: POLICY_SET

 

name: "Audit: Shut down system immediately if unable to log security audits"

value: POLICY_SET

DCOM

name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax"

value: POLICY_TEXT

 

name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"

value: POLICY_TEXT

Devices

name: "Devices: Allow undock without having to log on"

value: POLICY_SET

 

name: "Devices: Allowed to format and eject removable media"

value: DASD_SET

 

name: "Devices: Prevent users from installing printer drivers"

value: POLICY_SET

 

name: "Devices: Restrict CD-ROM access to locally logged-on user only"

value: POLICY_SET

 

name: "Devices: Restrict floppy access to locally logged-on user only"

value: POLICY_SET

 

name: "Devices: Unsigned driver installation behavior"

value: DRIVER_SET

Domain Controller

name: "Domain controller: Allow server operators to schedule tasks"

value: POLICY_SET

 

name: "Domain controller: LDAP server signing requirements"

value: LDAP_SET

 

name: "Domain controller: Refuse machine account password changes"

value: POLICY_SET

Domain Member

name: "Domain member: Digitally encrypt or sign secure channel data (always)"

value: POLICY_SET

 

name: "Domain member: Digitally encrypt secure channel data (when possible)"

value: POLICY_SET

 

name: "Domain member: Digitally sign secure channel data (when possible)"

value: POLICY_SET

 

name: "Domain member: Disable machine account password changes"

value: POLICY_SET

 

name: "Domain member: Maximum machine account password age"

value: POLICY_DAY

 

name: "Domain member: Require strong (Windows 2000 or later) session key"

value: POLICY_SET

Interactive Logon

name: "Interactive logon: Display user information when the session is locked"

value: LOCKEDID_SET

 

name: "Interactive logon: Do not display last user name"

value: POLICY_SET

 

name: "Interactive logon: Do not require CTRL+ALT+DEL"

value: POLICY_SET

 

name: "Interactive logon: Message text for users attempting to log on"

value: POLICY_TEXT

 

name: "Interactive logon: Message title for users attempting to log on"

value: POLICY_TEXT

 

name: "Interactive logon: Number of previous log-ons to cache (in case domain controller is not available)"

value: POLICY_DWORD

 

name: "Interactive logon: Prompt user to change password before expiration"

value: POLICY_DWORD

 

name: "Interactive logon: Require Domain Controller authentication to unlock workstation"

value: POLICY_SET

 

name: "Interactive logon: Require smart card"

value: POLICY_SET

 

name: "Interactive logon: Smart card removal behavior"

value: SMARTCARD_SET

Microsoft Network Client

name: "Microsoft network client: Digitally sign communications (always)"

value: POLICY_SET

 

name: "Microsoft network client: Digitally sign communications (if server agrees)"

value: POLICY_SET

 

name: "Microsoft network client: Send unencrypted password to third-party SMB servers"

value: POLICY_SET

Microsoft Network Server

name: "Microsoft network server: Amount of idle time required before suspending session"

value: POLICY_DWORD

 

name: "Microsoft network server: Digitally sign communications (always)"

value: POLICY_SET

 

name: "Microsoft network server: Digitally sign communications (if client agrees)"

value: POLICY_SET

 

name: "Microsoft network server: Disconnect clients when logon hours expire"

value: POLICY_SET

Network Access

name: "Network access: Allow anonymous SID/Name translation"

value: POLICY_SET

 

name: "Network access: Do not allow anonymous enumeration of SAM accounts"

value: POLICY_SET

 

name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares"

value: POLICY_SET

 

name: "Network access: Do not allow storage of credentials or .NET Passports for network authentication"

value: POLICY_SET

 

name: "Network access: Let Everyone permissions apply to anonymous users"

value: POLICY_SET

 

name: "Network access: Named Pipes that can be accessed anonymously"

value: POLICY_MULTI_TEXT

 

name: "Network access: Remotely accessible registry paths and sub-paths"

value: POLICY_MULTI_TEXT

 

name: "Network access: Remotely accessible registry paths"

value: POLICY_MULTI_TEXT

 

name: "Network access: Restrict anonymous access to Named Pipes and Shares"

value: POLICY_SET

 

name: "Network access: Shares that can be accessed anonymously"

value: POLICY_MULTI_TEXT

 

name: "Network access: Sharing and security model for local accounts"

value: LOCALACCOUNT_SET

Network Security

name: "Network security: Do not store LAN Manager hash value on next password change"

value: POLICY_SET

 

name: "Network security: Force log off when logon hours expire"

value: POLICY_SET

 

name: "Network security: LAN Manager authentication level"

value: LANMAN_SET

 

name: "Network security: LDAP client signing requirements"

value: LDAPCLIENT_SET

 

name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"

value: NTLMSSP_SET

 

name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"

value: NTLMSSP_SET

Recovery Console

name: "Recovery console: Allow automatic administrative logon"

value: POLICY_SET

 

name: "Recovery console: Allow floppy copy and access to all drives and all folders"

value: POLICY_SET

Shutdown

name: "Shutdown: Allow system to be shut down without having to log on"

value: POLICY_SET

 

name: "Shutdown: Clear virtual memory pagefile"

value: POLICY_SET

System Cryptography

name: "System cryptography: Force strong key protection for user keys stored on the computer"

value: CRYPTO_SET

 

name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

value: POLICY_SET

System Objects

name: "System objects: Default owner for objects created by members of the Administrators group"

value: OBJECT_SET

 

name: "System objects: Require case insensitivity for non-Windows subsystems"

value: POLICY_SET

 

name: "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)"

value: POLICY_SET

System Settings

name: "System settings: Optional subsystems"

value: POLICY_MULTI_TEXT

 

name: "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies"

value: POLICY_SET

Event Log

name: "Maximum application log size"

value: POLICY_KBYTE

 

name: "Maximum security log size"

value: POLICY_KBYTE

 

name: "Maximum system log size"

value: POLICY_KBYTE

 

name: "Prevent local guests group from accessing application log"

value: POLICY_SET

 

name: "Prevent local guests group from accessing security log"

value: POLICY_SET

 

name: "Prevent local guests group from accessing system log"

value: POLICY_SET

 

name: "Retain application log"

value: POLICY_DAY

 

name: "Retain security log"

value: POLICY_DAY

 

name: "Retain system log"

value: POLICY_DAY

 

name: "Retention method for application log"

value: EVENT_METHOD

 

name: "Retention method for security log"

value: EVENT_METHOD

 

name: "Retention method for system log"

value: EVENT_METHOD