Use forest search order
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found the KDC will return a referral ticket to the client for the appropriate domain. If you disable or do not configure this policy setting the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found NTLM authentication might be used. To ensure consistent behavior this policy setting must be supported and set identically on all domain controllers in the domain.
Provide information about previous logons to client computers
This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting the domain controller provides the information message about previous logons. For Windows Logon to leverage this feature the “Display information about previous logons during user logon” policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. If you disable or do not configure this policy setting the domain controller does not provide information about previous logons unless the “Display information about previous logons during user logon” policy setting is enabled. Note: Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003 Windows 2000 native or Windows 2000 mixed domain controllers cannot provide information about previous logons and enabling this policy setting does not affect anything.
Do not allow sessions without one way CHAP
If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if the “Do not allow sessions without mutual CHAP” setting is enabled then that setting overrides this one.
Do not allow sessions without mutual CHAP
If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.
Do not allow connections without IPSec
If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established.
Do not allow changes to initiator CHAP secret
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed.
Do not allow additional session logins
If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.
Do not allow changes to initiator iqn name
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.
Do not allow adding new targets via manual configuration
If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. Note: if enabled there may be cases where this will break VDS.
Do not allow manual configuration of discovered targets
If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. Note: if enabled there may be cases where this will break VDS.