Author: admin
Define Activation Security Check exemptions
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists one configured via Group Policy through this policy setting and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured unless the “Allow local activation security check exemptions” policy is enabled. DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. If you enable this policy setting you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1 DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. If you disable this policy setting the appid exemption list defined by Group Policy is deleted and the one defined by local computer administrators is used. If you do not configure this policy setting the appid exemption list defined by local computer administrators is used. Notes:The DCOM Activation security check is done after a DCOM server process is started but before an object activation request is dispatched to the server process. This access check is done against the DCOM server’s custom launch permission security descriptor if it exists or otherwise against the configured defaults. If the DCOM server’s custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users once the DCOM server process was up and running might now fail instead. The proper action in this situation is to re-configure the DCOM server’s custom launch permission settings for correct security settings but this policy setting may be used in the short-term as an application compatibility deployment aid. DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch RemoteLaunch LocalActivate or RemoteActivate grant or deny entries for any users or groups. Also note exemptions for DCOM Server Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present.
Allow local activation security check exemptions
Allows you to specify that local computer administrators can supplement the “Define Activation Security Check exemptions” list. If you enable this policy setting and DCOM does not find an explicit entry for a DCOM server application id (appid) in the “Define Activation Security Check exemptions” policy (if enabled) DCOM will look for an entry in the locally configured list. If you disable this policy setting DCOM will not look in the locally configured DCOM activation security check exemption list. If you do not configure this policy setting DCOM will only look in the locally configured exemption list if the “Define Activation Security Check exemptions” policy is not configured.
Remove Logoff
This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer or clicking Log off from the Start menu. Also see the ‘Remove Logoff on the Start Menu’ policy setting. If you disable or do not configure this policy setting users can see and select the Log off menu item when they press Ctrl+Alt+Del.
Remove Task Manager
This policy setting prevents users from starting Task Manager. Task Manager (taskmgr. exe) lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers including system services; find the executable names of programs; and change the priority of the process in which programs run. If you enable this policy setting users will not be able to access Task Manager. If users try to start Task Manager a message appears explaining that a policy prevents the action. If you disable or do not configure this policy setting users can access Task Manager to start and stop programs monitor the performance of their computers view and monitor all programs running on their computers including system services find the executable names of programs and change the priority of the process in which programs run.
Remove Lock Computer
This policy setting prevents users from locking the system. While locked the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. If you enable this policy setting users cannot lock the computer from the keyboard using Ctrl+Alt+Del. If you disable or do not configure this policy setting users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. Tip:To lock a computer without configuring a setting press Ctrl+Alt+Delete and then click Lock this computer.
Remove Change Password
This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting the ‘Change Password’ button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
Do not display the password reveal button
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not configure this policy setting the password reveal button will be displayed after a user types a password in the password entry text box. By default the password reveal button is displayed after a user types a password in the password entry text box. To display the password click the password reveal button. The policy applies to all Windows components and applications that use the Windows system controls including Internet Explorer.
Do not display the password reveal button
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not configure this policy setting the password reveal button will be displayed after a user types a password in the password entry text box. By default the password reveal button is displayed after a user types a password in the password entry text box. To display the password click the password reveal button. The policy applies to all Windows components and applications that use the Windows system controls including Internet Explorer.
Require trusted path for credential entry
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. Note: This policy affects nonlogon authentication tasks only. As a security best practice this policy should be enabled. If you enable this policy setting users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. If you disable or do not configure this policy setting users will enter Windows credentials within the user’s desktop session potentially allowing malicious code access to the user’s Windows credentials.
Enumerate administrator accounts on elevation
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate.