Account and local policies
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Account and local policies
All security policies are computer-based policies. This section explains account policies and local policies.
Account policies are defined on computers, yet they affect how user accounts can interact with the computer or domain. Account policies contain three subsets:
Password Policy. Used for domain or local user accounts. Determines settings for passwords, such as enforcement and lifetimes.
Account Lockout Policy. Used for domain or local user accounts. Determines the circumstances and length of time that an account will be locked out of the system.
Kerberos Policy. Used for domain user accounts. Determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
For domain accounts, the account policy must be defined in the Default Domain Policy Group Policy object (GPO) or in a new GPO that is linked to the root of the domain and given precedence over the Default Domain Policy GPO, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs.
A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if a different account policy is applied to the organizational unit (OU) that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers.
Modifying the Default Domain Policy is not recommended. If you need to set some account policy that differs from that in the Default Domain Policy GPO, you can create a new GPO and link to the root of domain, set the policy you want to use, and assign it higher precedence than Default Domain Policy GPO.
There are two policies in Security Options that also behave like account policies. These are:
Network Access: Allow anonymous SID/NAME translation
Network Security: Force Logoff when Logon Hours expire
These policies apply to a computer and contain these subsets:
Auditing Policy. Determines whether security events are logged into the Security log on the computer. Also determines whether to log successful attempts, failed attempts or both. (The Security log is part of Event Viewer.)
User Rights Assignment. Determines which users or groups have logon rights or privileges on the computer.
Security Options. Enables or disables security settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy drive and CD-ROM access, driver installation, and logon prompts.
Because a computer can have more than one policy applied to it, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is organizational unit, domain, and local computer. For more information, see Applying security settings.