Group Policy Settings Used in Windows Authentication

 

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows RT, Windows Server 2012, Windows RT 8.1, Windows 8

This reference topic for the IT professional describes the use and impact of Group Policy settings in the authentication process.

You can manage authentication in Windows operating systems by adding user, computer, and service accounts to groups, and then by applying authentication policies to those groups. These policies are defined as local security policies and as administrative templates, also known as Group Policy settings. Both sets can be configured and distributed throughout your organization by using Group Policy.

Note

Features introduced in Windows Server 2012 R2, let you configure authentication policies for targeted services or applications, commonly called authentication silos, by using protected accounts. For information about how to do this in Active Directory, see How to Configure Protected Accounts.

For example, you can apply the following policies to groups, based on their function in the organization:

  • Log on locally or to a domain

  • Log on over a network

  • Reset accounts

  • Create accounts

The following table lists policy groups relevant to authentication and provides links to documentation that can help you configure those policies.

Policy group

Location

Description

Password Policy

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies

Password policies affect the characteristics and behavior of passwords. Password policies are used for domain accounts or local user accounts. They determine settings for passwords, such as enforcement and lifetime.

For information about specific settings, see Password Policy.

Account Lockout Policy

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies

Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords.

For information about account lockout policy options, see Account Lockout Policy.

Kerberos Policy

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies

Kerberos-related settings include ticket lifetime and enforcement rules. Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. Therefore, the Kerberos policy settings can be configured only by means of the default domain Group Policy Object (GPO), where it affects domain logons.

For information about Kerberos Policy options for the domain controller, see Kerberos Policy.

Audit Policy

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Auditing policy lets you control and understand access to objects, such as files and folders, and to manage user and group accounts and user logons and logoffs. Auditing policies can specify the categories of events that you want to audit, set the size and behavior of the security log, and determine of which objects you want to monitor access and what type of access you want to monitor.

For information about the audit policies, see Audit Policy.

For information about security auditing, see Security Auditing Overview.

For information about specific security auditing events, see Advanced Security Audit Policy Settings.

User Rights Assignment

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users, or Users. The policy settings in this category are typically used to grant or deny users’ permission to access their computer based on the method of access and their security group memberships.

For more information, see User Rights Assignment.

Security Options

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Policies relevant to authentication include:

  • Devices

  • Domain controller

  • Domain member

  • Interactive logon

  • Microsoft network server

  • Network access

  • Network security

  • Recovery console

  • Shutdown

For more information, see Security Options.

Credentials Delegation

Computer Configuration\Administrative Templates\System\Credentials Delegation

The delegation of credentials is a mechanism that lets local credentials be used on other systems, most notably member servers and domain controllers within a domain. These settings apply to applications by using the Credential Security Support Provider (Cred SSP). Remote Desktop Connection is an example.

KDC

Computer Configuration\Administrative Templates\System\KDC

These policy settings affect how the Key Distribution Center (KDC), which is a service on the domain controller, handles Kerberos authentication requests.

Kerberos

Computer Configuration\Administrative Templates\System\Kerberos

These policy settings affect how Kerberos is configured to handle support for claims, Kerberos armoring, compound authentication, identifying proxy servers, and other configurations.

Logon

Computer Configuration\Administrative Templates\System\Logon

These policy settings control how the system presents the logon experience for users.

Net Logon

Computer Configuration\Administrative Templates\System\Net Logon

These policy settings control how the system handles network logon requests including how the Domain Controller Locator behaves.

For more information about how the Domain Controller Locator fits into replication processes, see Understanding Replication Between Sites.

Biometrics

Computer Configuration\Administrative Templates\Windows Components\Biometrics

These policy settings generally permit or deny the use of Biometrics as an authentication method.

For information about the Windows implementation of biometrics, see Windows Biometric Framework Overview [W8].

Credential User Interface

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface

These policy settings control how credentials are managed at the point of entry.

Password Synchronization

Computer Configuration\Administrative Templates\Windows Components\Password Synchronization

These policy settings determine how the system manages the synchronization of passwords between Windows and UNIX-based operating systems.

For more information, see Password Synchronization.

Smart Card

Computer Configuration\Administrative Templates\Windows Components\Smart Card

These policy settings control how the system manages smart card logons.

For more information, see Windows Smart Card Technical Reference.

Windows Logon Options

Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options

These policy settings control when and how logon opportunities are available.

Ctrl+Alt+Del Options

Computer Configuration\Administrative Templates\Windows Components\Ctrl+Alt+Del Options

These policy settings affect the appearance of and accessibility to features on the logon UI (Secure Desktop), such as Task Manager and the keyboard lock of the computer.

Logon

Computer Configuration\Administrative Templates\Windows Components\Logon

These policy settings determine if or which processes can run when the user logs on.

See also

Windows Authentication Technical Overview