Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Policies

Types of Policies

  • Account policy - Determines how passwords are validated and how unsuccessful login attempts are handled. Account policies can be set for Organizational Units, domain, domain controllers, and local computers. Three types of account policies:
    • Password policy - Determines how often the user must change passwords and various password requirements.
    • Account lockout policy - Determines when accounts are locked when failed logon attempts occur.
    • Kerberos policy - Windows 2000 domain controller computers are key distribution centers (KDC) for the Kerberos security protocol which us used for authentication.
  • User Rights policy - Determines what users and groups can perform specific actions on the system.
  • Audit policy - Determines the amount and type of security logging that Windows NT performs.
  • System policy - Helps Administrators manage users that are using Windows 95, 98, or NTcomputers. It can be used to provide a uniform environment for large numbers of users.
    • User System Policy
      • Individual User Policy
      • Default User Policy - Applies to users without individual user policies. There are initally no restrictions to this policy. The policy overwrites the Windows registry HKEY_CURRENT_USER section.
    • Group system Policy
    • Computer system Policy
      • Individual Computer system Policy
      • Default Computer system Policy
  • Group policy - This policy, which is new with Windows 2000, applies to all members of the group they are set for, unless the member has an individual policy. Groups are listed by priority in the System Policy Editor's, Group Priority dialog box. When a user is in multiple groups, the highest priority group's policy applies. Applies to only Windows 2000 computers and/or their users, or both. Consists of:
    • Group Policy Object in Active Directory.
    • Files and folders that are created when the group policy object is created.

System Policies

System Policy Priorities

Policy settings may be applied to any computer or user on the domain from the System Policy Editor.

  • Individual User - HKEY_CURRENT_USER registry portion is modified. Settings for one user are changed.
  • Group - Policies applied to groups. One group may have a higher profile priority than another, for the case when a user belongs to multiple groups. This is set using the "Options" menu with "Group Priority". If the user does not have an individual policy, this is applied.
  • Default user - HKEY_CURRENT_USER registry portion is modified. Settings for any domain user that logs on from any computer are changed. If the user does not have an individual policy, this is applied
  • Individual Computer - (Non Windows 2000 computers) HKEY_LOCAL_MACHINE registry portion is modified. Policies apply to a specific computer.
  • Default computer - HKEY_LOCAL_MACHINE registry portion is modified. Settings are changed for all domain computers are changed. If the computer does not have an individual computer policy, this is applied

Policy settings are determined by precidence as listed above. For example, user settings override all other group, and default user policies. Group policies override Default user policies. System (computer) policies override user and group policies. Specific computer policy overrides default system policy. Group policy priority may be specified from the System Policy Editor when a user is a member of multiple groups.

System Policy Editor

System policy settings for all users on the domain set using the System Policy Editor are merged with local profiles. User logon restrictions are set in the user manager for domains. A policy may be set to automatically log users off during restricted logon hours. To start the System Policy Editor, click "Start", "Run", and type "poledit" in the text box.

The System Policy Editor is available on Windows 2000 Server type systems. Installation of the ADMINPAK will make it available on Windows 2000 Professional computers.

The following policy files are used for the following systems:

  • NTCONFIG.POL - For NT
  • CONFIG.POL - Windows 95/98

They must be created on the operating system on which they are intended for use. They are not used on Windows 2000.

Account Policies

Account policy and lockout Options

The three main groupings are "Password restrictions", "Account lockout", and "Kerberos". The first four items below are under "Password restrictions"

  • Password policy
    • Enforce password history - Determines the number of passwords that must be used before an old password can be reused.
    • Maximum password age - If 0, passwords never need to be changed.
    • Minimum password age - If 0, passwords can be changed whenever the users want to. This can prevent users recycling back to their original password.
    • Minimum password length - Values are 0 to 14 characters. Of 0, passwords are not required.
    • Passwords must meet complexity requirements - Uppercase, lowercase, numeric, and special characters may be required.
    • Store password using reversible encryption for all users - One way encryption is more secure, and reversible encryption is used for users on Apple computers.
  • Account lockout policy
    • Account Lockout Threshold - Number of consecutive unsuccessful logon attempts before the account is locked. If 0, the account is not locked due to bas logon attempts.
    • Account Lockout Duration - Determines how long accounts remain locked. This is "Not Defined" or from 0 to 99,999 minutes. If "Not Defined" user accounts are never locked out. If 0, the account is locked out until the administrator re-enables the account.
    • Reset Acount Lockout After - Specifies how long between bad logon attempts before the account lockout threshold counter is reset. Possible values are "Not Defined" or 1 to 99,999. If "Not Defined" user accounts are never locked out.
  • Kerberos policy
    • Enforce user logon restrictions
    • Maximum lifetime for service ticket
    • Maximum lifetime for user ticket
    • Maximum lifetime for user ticket renewal
    • Maximum tolerance for computer clock synchronization

Account policy changes become effective when the user logs off and back on again.

Setting Account Policies

  • Organizational Units - In Administrative Tools, select "Active Directory Users and Computers".
  • Domain - In Administrative Tools, select "Domain Security Policy". The ADMINPAK must be installed on the computer.
  • Domain controllers - In Administrative Tools, select "Domain Controler Security Policy". The ADMINPAK must be installed on the computer.
  • Local computers - From the Control Panel, "Administrative Tools" applet, double click "Local Security Policy".

User Rights Policies

  • Shutdown the computer from a remote location - Administrators, Power users.
  • Access to the computer via the network - Administrators, Power users, everyone
  • Use the computer locally - All users
  • Backup or restore directories and files - Administrators, backup operators
  • Change time - Administrators, Power users.
  • Delete or add device drivers - Administrators
  • Change the security logging policy - Administrators
  • Shut the system down - All users except guests
  • Take file ownership - All operators

Audit Policies

The Event Viewer allows viewing of events specified by the audit policy

Auditing must be enabled in the Audit Policy window by checking the "Audit these Events" box from the User Manager. The event viewer allows the following types of event information to be viewed.

  • System - Logs system errors, driver errors, binding errors, or service failures.
  • Security - Bad logon attempts.
  • Application

Each message has an event ID number. A maximum size of logs and writing over of event logs can be set depending on available disk space.