Home

General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues

Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts

Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters

Reference
.. Third Party Products
.. KB Articles
.. Community

Terms of Use
Trademarks
Privacy Statement

The Group Policy Object Editor (gpedit) allows you to edit security settings for users or computers. You configure security settings policies in Computer Configuration\Windows Settings\Security Settings. With Security Settings, you can require minimum password complexity, control the ability to log on to computers remotely, enable software restriction policies, set IP security, and much more. The following sections explain the security areas that can be configured.

Account Policies (SCE)

These are computer security settings for password policy, lockout policy, and Kerberos policy in domains on Windows 2000 and Windows Server 2003.

Local Policies (SCE)

These include security settings for audit policy, user rights assignment, and security options. Local policy allows you to configure who has local or network access to the computer and whether or how local events are audited.

Event Log (SCE)

This controls security settings for the Application, Security, and System event logs. You can access these logs using the Event Viewer.

Restricted Groups (SCE)

This allows you to control who should and should not belong to a restricted group, as well as which groups a restricted group should belong to. This allows administrators to enforce security policy settings regarding sensitive groups, such as Administrators or Payroll. For example, it may be decided that only Joe and Mary should be members of the Administrators group. Restricted groups can be used to enforce that policy. If a third user is added to the group (for example, to accomplish some task in an emergency situation), the next time policy is enforced, that third user is automatically removed from the Administrators group. 

System Services (SCE)

These control startup mode and security options (security descriptors) for system services such as network services, file and print services, telephone and fax services, Internet and intranet services, and so on.

Registry (SCE)

This is used to configure security settings for registry keys including access control, audit, and ownership. When you apply security on registry keys, the Security Settings extension follows the same inheritance model as that used for all tree-structured hierarchies in Windows 2000 and Windows Server 2003 (such as Active Directory and NTFS). Microsoft recommends that you use the inheritance capabilities to specify security only at top-level objects, and redefine security only for those child objects that require it. This approach greatly simplifies your security structure and reduces the administrative overhead that results from a needlessly complex access-control structure.

File System (SCE)

This is used to configure security settings for file-system objects, including access control, audit, and ownership.

Public Key Policies

You use these settings to:

• Specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate.
• Create and distribute a certificate trust list.
• Establish common trusted root certification authorities.
• Add encrypted data recovery agents and change the encrypted data recovery policy settings.

IP Security Policies on Active Directory

IP Security (IPSec) policy can be applied to the GPO of an Active Directory object. This propagates that IPSec policy to any computer accounts affected by that GPO.  

Wireless Networking

This lets you configure wireless network settings that are part of Group Policy for Computer Configuration. Wireless network settings include the list of preferred networks, WEP settings, and IEEE 802.1X settings. These settings are downloaded to targeted domain members, making it much easier to deploy a specific configuration for secure wireless connections to wireless client computers.  

Software Restriction Policies

This lets you protect your computer environment from untrusted code by identifying and specifying which applications are allowed to run. With software restriction policies, you can: 

• Control the ability of programs to run on your system. For example, if you are concerned about users receiving viruses through e-mail, you can apply a policy setting that does not allow certain file types to run in the e-mail attachment directory of your e-mail program.
• Permit users to run only specific files on multi-user computers. For example, if you have multiple users on your computers, you can set up software restriction policy settings in such a way that users do not have access to any software but those specific files that are necessary for their work.
• Decide who can add trusted publishers to your computer.
• Control whether software restriction policy settings affect all users or just certain users on a computer.
• Prevent any files from running on your local computer, organizational unit, site, or domain. For example, if your system has a known virus, you can use software restriction policy settings to stop a computer from opening the file that contains the virus.

Note:  Software restriction policy settings should not be used as a replacement for antivirus software.

 Related Links

• Group Policy Settings Reference