Group Policy Settings Used in Windows Authentication

Updated: April 11, 2013

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This reference topic describes the use and impact of Group Policies in the authentication process.

You can manage authentication in Windows by adding user, computer, and service accounts to groups and then applying authentication policies to those groups. Authentication policies consist of:

  • Account policies, which include password, account lockout, and Kerberos policies.

  • Local policies, which are enforced through local security settings, include security options, user rights assignment, and audit policies.

For example, you can apply the following policies to groups, based on their function in the organization:

  • Log on locally, or to a domain

  • Log on over a network

  • Reset accounts

  • Create accounts

Account policy

Account policies affect computers running Windows in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows computers that are joined to that domain.

Domain-wide account policies are defined in the default domain Group Policy Object (GPO). All domain controllers pull the domain-wide account policy from the default domain GPO regardless of the organizational unit in which the domain controller exists. Thus, while there might be different local account policies for member computers in different organizational units, there cannot be different account policies for the accounts in a domain.

By default, all computers that are not domain controllers will also receive the default domain account policy for their local accounts. However, different account policies might be established for local accounts on computers that are not domain controllers by setting an account policy at the organizational unit level. Account policies for stand-alone computers can be set by using a local security policy.

Account policies contain three subsets:

  • Password policy

  • Account lockout policy

  • Kerberos policy

For more information about account policies as defined in Group Policy, see Account Policies.

Password policy

Password policies affect the characteristics and behavior of passwords. Password policies are used for domain accounts or local user accounts. They determine settings for passwords, such as enforcement and lifetimes.

For information about specific settings, see Password Policy.

Account lockout policy

Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords.

For information about account lockout policy options, see Account Lockout Policy.

Kerberos policy

Kerberos-related settings include ticket lifetimes and enforcement rules. Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. Therefore, the Kerberos policy settings can be configured only by means of the default domain GPO, where it affects domain logons.

For information about Kerberos Policy options for the domain controller, see Kerberos Policy.

Local security policy

A security policy is a combination of security settings that affect the security on a computer. You can use the local security policy to control the following local policies:

  • Security Options - Who accesses the computer.

  • User Rights Assignment - What resources users are authorized to use on your computer.

  • Audit Policy - Whether or not a user’s or group's actions are recorded in the event log.

For information about how security policy is applied, see Local Security Policy overview.

Security options for logon behavior

The following security options are available to modify logon-related behaviors, including password behavior:

  • Devices

  • Domain controller

  • Domain member

  • Interactive logon

  • Microsoft network server

  • Network access

  • Network security

  • Recovery console

  • Shutdown

For a complete list of security options for logon behavior, see Security Options.

User rights assignment

User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users, or Users. The policy settings in this category are typically used to allow or deny users’ permission to access their computer based on the method of access and their security group memberships.

In the Local Security Settings and Group Policy snap-ins, the policy options that affect users’ rights based on their method of accessing the computer are located under the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment extension.

For a complete list of user rights assignment settings, see:

For a description of these policies in Windows Server 2003, see User Rights Assignment.

Auditing policy

Auditing policy allows you to control and understand access to objects, such as files and folders, and to manage user and group accounts and user logons and logoffs. Auditing policies can specify the categories of events that you want to audit, set the size and behavior of the security log, and determine which objects you want to monitor access of and what type of access you want to monitor.

For information about the audit policies, see Audit Policy.

For information about security auditing, see Security Auditing.

For information about specific security auditing events, see Security Audit Policy Reference.

See Also

Concepts

Windows Authentication Concepts