Windows XP - Account policies.

When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement Group Policies for users and groups. Then along came MS Windows NT4 and a few sites started to adopt this capability. By the time that MS Windows 2000 and Active Directory was released, administrators got the message: Group Policies are a good thing! They can help reduce administrative costs and actually make happier users. But adoption of the true potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users and machines were picked up on rather slowly.

How it works? Under MS Windows platforms, particularly those following the release of MS Windows NT4 and MS Windows 95, it is possible to create a type of file that would be placed in the NETLOGON share of a domain controller. As the client logs onto the network, this file is read and the contents initiate changes to the registry of the client machine. This file allows changes to be made to those parts of the registry that affect users, groups of users, or machines. Windows NT4 system policies allow the setting of registry parameters specific to users, groups, and computers (client workstations) that are members of the NT4-style domain. Such policy files will work with MS Windows 200x/XP clients also.

Administration of Windows XP Policies. Instead of using the tool called the System Policy Editor, commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows: 1. Go to the Windows 200x/XP menu Start->Programs->Administrative Tools and select the MMC snap-in called Active Directory Users and Computers Select the User or Group that you wish to manage, then right-click to open the context menu for that object, and select the Properties. Left-click on the Group Policy tab, then left-click on the New tab. Type a name for the new policy you will create. Left-click on the Edit tab to commence the steps needed to create the GPO.

2.

3.

4.

All policy configuration options are controlled through the use of policy administrative templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. The latter introduces many new features as well as extended

definition capabilities. It is well beyond the scope of this documentation to explain how to program .adm files; for that, refer to the Microsoft Windows Resource Kit for your particular version of MS Windows.

Managing Account/User Policies. All security policies are computer-based policies. Account policies are defined on computers, yet they affect how user accounts can interact with the computer or domain. Account policies contain three subsets: Password policy Used for domain or local user accounts. Determines settings for passwords, such as enforcement and lifetimes. Account lockout policy Used for domain or local user accounts. Determines the circumstances and length of time that an account will be locked out of the system. Kerberos policy Used for domain user accounts. Determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in local computer policy. Configuring Password Policy : Used for domain or local user accounts. Determines settings for passwords, such as enforcement and lifetimes. Password Policy allows you to improve security on your computer by controlling how passwords are created and managed. You can specify the maximum length of time a password can be used before the user must change it. Changing passwords decreases the chances of an unauthorized person breaking into your computer. If an unauthorized user has discovered a user account and password combination for your computer, forcing users to change passwords regularly will cause the user account and password combination to eventually fail and lock the unauthorized user out of the system. Other Password Policy options are available to improve a computer's security. For example, you can specify a minimum password length. The longer the password, the more difficult it is to discover. Another example is maintaining a history of the passwords used. This prevents a user from having two passwords and alternating between them. Configuring Account Lockout Policy : Used for local user accounts. Determines the circumstances and length of time that an account will be locked out of the system. The Account Lockout Policy settings also allow you to improve the security on your computer. If no account lockout policy is in place, an unauthorized user can repeatedly try to break into your computer. If, however, you have set an account lockout policy, the system locks out the user account under the conditions you specify in Account Lockout Policy. You access the Account Lockout Policy settings using the Group Policy snap-in, just as you did to configure the Password Policy settings.

Kerberos policy: Used for domain user accounts. Determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in local computer policy. Available in Windows Server Edtion.