Modifying Account Policies in the Default Domain GPO

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Account policies include password policy, account lockout policy, and Kerberos policy. Although they affect user accounts, account policies are defined on computers. In Windows Server 2003 and Windows 2000, there is only one set of account policies for each domain, and these policies are defined at the domain level.

  • The account policies for the domain affect all users who log on to the domain, regardless of any other account policies that are defined in a linked GPO. However, if a user logs on to a member computer by using a local computer account, the user is subject to the usual order of precedence as described in "Designing Security Settings" earlier in this chapter. Domain controllers do not have local accounts and always receive account policies from the domain.

    • If you want to modify the account policies at the domain level, it is recommended that you modify the default domain GPO. The account policies for domains include:

    • Password policy settings for domains. The most common way to authenticate a user’s identity is by using passwords. After a user has been identified and authenticated, the user can perform any tasks or access any resource for which he or she is authorized. Strong passwords generally enhance security for users. Using strong passwords helps avoid the threat of an unauthorized user guessing a weak password (also known as cracking) and acquiring the credentials of the compromised user account (also known as spoofing). This is especially true for administrative accounts because an unauthorized user might obtain administrative credentials and gain elevated privileges. For more information, see "Strong passwords" in Help and Support Center for Windows Server 2003.

    • Account lockout policy settings for domains. More than a few unsuccessful password tries during logon might represent an attacker’s attempt to determine an account password by trial and error. Windows Server 2003 and Windows 2000 tracks the number of logon attempts, and it can be configured to respond to this type of attack by disabling the account for a preset period of time. This is known as an account lockout.

    • Kerberos policy settings for domains. Kerberos V5 authentication protocol provides the default mechanism for authentication services and the authorization data that is necessary for a user to gain access and perform a task on a resource. By reducing the lifetime of Kerberos authentication tickets, you reduce the risk of having a legitimate user’s credentials stolen and successfully used by an attacker. However, authorization overhead is increased.

In addition, there are five Security Option settings that behave in the same way as account policies. These are:

  • Network Security: Force logoff when logon hours expire

  • Accounts: Administrator account status

  • Accounts: Guest account status

  • Accounts: Rename administrator account

  • Accounts: Rename guest account

For more information about the individual account policies, see "Account Policies" in Help and Support Center for Windows Server 2003.