Applying Authentication Policies to Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can manage authentication in your organization by adding user, computer, and service accounts to groups and then applying authentication policies to those groups. For example, you can apply the following policies to groups, based on their function in the organization:

  • Log on locally

  • Access this computer from the network

  • Log on over network

  • Reset accounts

  • Create accounts

If you want to make a computer less accessible to others, including both legitimate users and attackers, you can use policies in the following ways to restrict access for less trusted groups (such as Anonymous):

  • Assign the Deny access to this computer from the network policy.

  • Assign the Deny logon locally policy.

  • Remove the Remove computer from docking station policy.

Other policies that you might assign or deny to users can also increase security or maximize flexibility, such as Deny logon as batch job or Log on as service. For more information about Group Policies that impact authentication, see "Deploying Security Policy" in Designing a Managed Environment of this kit.