Tag: Computer Configuration
Allow delegating fresh credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of fresh credentials is not permitted to any machine. Note: The “Allow delegating fresh credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. comRemote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com
Allow delegating default credentials with NTLM-only server authentication
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting delegation of default credentials is not permitted to any machine. Note: The “Allow delegating default credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com
Allow delegating default credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. If you disable or do not configure (by default) this policy setting delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information see KB. FWlink for KB:http://go. microsoft. com/fwlink/?LinkId=301508Note: The “Allow delegating default credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com
Allow users to select when a password is required when resuming from connected standby
This policy setting allows you to control whether or not the user may alter the time before a password is required when a device that supports connected standby’s screen turns off. If you enable this policy setting a user on a device that supports connected standby may configure the amount of time after the device’s screen turns off before a password is required when waking the device. The allowable time is limited by any EAS settings or group policies that affect the maximum idle time before a device locks. In addition if a password is required when a screensaver turns on the screensaver timeout will limit the allowable options the user may choose. If you disable or don’t configure this policy setting the user cannot configure the amount of time after the device’s screen turns off before a password is required when waking the device. Instead a password will be required immediately upon the screen turning off. Note: This policy setting only applies to domain-joined devices that support connected standby.
Turn off picture password sign-in
This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting a domain user can’t set up or sign in with a picture password. If you disable or don’t configure this policy setting a domain user can set up and use a picture password. Note that the user’s domain password will be cached in the system vault when using this feature.
Turn on PIN sign-in
This policy setting allows you to control whether a domain user can sign in using a PIN. If you enable this policy setting a domain user can set up and sign in with a PIN. If you disable or don’t configure this policy setting a domain user can’t set up and use a PIN. Note that the user’s domain password will be cached in the system vault when using this feature.
Exclude credential providers
This policy setting allows the administrator to exclude the specifiedcredential providers from use during authentication. Note: credential providers are used to process and validate usercredentials during logon or when authentication is required. Windows Vista provides two default credential providers:Password and Smart Card. An administrator can install additionalcredential providers for different sets of credentials(for example to support biometric authentication). If you enable this policy an administrator can specify the CLSIDsof the credential providers to exclude from the set of installedcredential providers available for authentication purposes. If you disable or do not configure this policy all installed and otherwise enabled credential providers are available for authentication purposes.
Assign a default domain for logon
This policy setting specifies a default logon domain which might be a different domain than the domain to which the computer is joined. Without this policy setting at logon if a user does not specify a domain for logon the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain the default domain for user logon is Fabrikam. If you enable this policy setting the default logon domain is set to the specified domain which might be different than the domain to which the computer is joined. If you disable or do not configure this policy setting the default logon domain is always set to the domain to which the computer is joined.
Apply the default account picture to all users
This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. Note: The default account picture is stored at %PROGRAMDATA% -> Microsoft -> User Account Pictures -> user. jpg. The default guest picture is stored at %PROGRAMDATA% -> Microsoft -> User Account Pictures -> guest. jpg. If the default pictures do not exist an empty frame is displayed. If you enable this policy setting the default user account picture will display for all users on the system with no customization allowed. If you disable or do not configure this policy setting users will be able to customize their account pictures.
Force a specific default lock screen image
This setting allows you to force a specific default lock screen image by entering the path (location) of the image file. This setting lets you specify the default lock screen image shown when no user is signed in and also sets the specified image as the default for all users (it replaces the inbox default image). To use this setting type the fully qualified path and name of the file that stores the default lock screen image. You can type a local path such as C: -> windows -> web -> screen -> lockscreen. jpg or a UNC path such as -> -> Server -> Share -> Corp. jpg. This can be used in conjunction with the “Prevent changing lock screen image” setting to always force the specified lock screen image to be shown. Note: This setting only applies to domain-joined machines or unconditionally in Enterprise and Server SKUs.