Account and local policies

Account policies

All security policies are computer-based policies. Account policies are defined on computers, yet they affect how user accounts can interact with the computer or domain. Account policies contain three subsets:

Password policy Used for domain or local user accounts. Determines settings for passwords, such as enforcement and lifetimes.

Account lockout policy Used for domain or local user accounts. Determines the circumstances and length of time that an account will be locked out of the system.

Kerberos policy Used for domain user accounts. Determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in local computer policy.

For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain policy and is enforced by the domain controllers that make up the domain. A domain controller always obtains the account policy from the Default Domain Policy Group Policy object, even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) will also receive the same account policy for their local accounts. However, local account policies can be different from the domain account policy, such as when you define an account policy specifically for the local accounts.

There are two policies in Security Options that also behave like account policies. These are:

Network Access: Allow anonymous SID/NAME translation

Network Security: Force Logoff when Logon Hours expire

Local policies

These policies apply to a computer and contain these subsets:

Audit policy Determines whether security events are logged into the Security log on the computer. Also determines whether to log successful attempts, failed attempts or both. (The Security log is part of Event Viewer.)

User rights assignment Determines which users or groups have logon rights or privileges on the computer.

Security options Enables or disables security settings for the computer, such as digital signing of data, Administrator and Guest account names, floppy drive and CD-ROM access, driver installation, and logon prompts.

Because a computer can have more than one policy applied to it, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is organizational unit, domain, and local computer. For more information, see Applying security policy

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies