Tag: Computer Configuration
Hash Version support for BranchCache
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes version 2 (V2) hashes or both V1 and V2 hashes. Hashes also called content information are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported content information for that version is the only type that is generated by BranchCache and it is the only type of content information that can be retrieved by client computers. For example if you enable support for V1 hashes BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. Policy configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy setting. In this circumstance which is the default both V1 and V2 hash generation and retrieval are supported. – Enabled. With this selection the policy setting is applied and the hash version(s) that are specified in “Hash version supported” are generated and retrieved. – Disabled. With this selection both V1 and V2 hash generation and retrieval are supported. In circumstances where this setting is enabled you can also select and configure the following option:Hash version supported:- To support V1 content information only configure “Hash version supported” with the value of 1. – To support V2 content information only configure “Hash version supported” with the value of 2. – To support both V1 and V2 content information configure “Hash version supported” with the value of 3.
Hash Publication for BranchCache
This policy setting specifies whether a hash generation service generates hashes also called content information for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configurationSelect one of the following:- Not Configured. With this selection hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers you can specify Not Configured for this domain Group Policy setting and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. – Enabled. With this selection hash publication is turned on for all file servers where Group Policy is applied. For example if Hash Publication for BranchCache is enabled in domain Group Policy hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares. – Disabled. With this selection hash publication is turned off for all file servers where Group Policy is applied. In circumstances where this policy setting is enabled you can also select the following configuration options:- Allow hash publication for all shared folders. With this option BranchCache generates content information for all content in all shares on the file server. – Allow hash publication only for shared folders on which BranchCache is enabled. With this option content information is generated only for shared folders on which BranchCache is enabled. If you use this setting you must enable BranchCache for individual shares in Share and Storage Management on the file server. – Disallow hash publication on all shared folders. With this option BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content.
Do not process the run once list
This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. If you enable this policy setting the system ignores the run-once list. If you disable or do not configure this policy setting the system runs the programs in the run-once list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> RunOnce. Also see the “”Do not process the legacy run list”” policy setting.
Do not process the legacy run list
This policy setting ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista Windows XP Professional and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. If you enable this policy setting the system ignores the run list for Windows Vista Windows XP Professional and Windows 2000 Professional. If you disable or do not configure this policy setting Windows Vista adds any customized run list configured to its run list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. Note: To create a customized run list by using a policy setting use the “”Run these applications at startup”” policy setting. Also see the “”Do not process the run once list”” policy setting.
Define interoperable Kerberos V5 realm settings
This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms as defined by this policy setting. If you enable this policy setting you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm enable the policy setting note the syntax and then click Show. In the Show Contents dialog box in the Value Name column type the interoperable Kerberos V5 realm name. In the Value column type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list click the entry and then press the DELETE key. To edit a mapping remove the current entry from the list and add a new one with different parameters. If you disable this policy setting the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. If you do not configure this policy setting the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry if they exist.
Always send compound authentication first
This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication the policies “KDC support for claims compound authentication and Kerberos armoring” and “Request compound authentication” must be configured and enabled in the resource account domain. If you enable this policy setting and the resource domain requests compound authentication devices that support compound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the resource domain requests compound authentication devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
Kerberos client support for claims compound authentication and Kerberos armoring
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting the client computers will request claims provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. If you disable or do not configure this policy setting the client devices will not request claims provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
Set maximum Kerberos SSPI context token buffer size
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting the Kerberos client or server uses the configured value or the locally allowed maximum value whichever is smaller. If you disable or do not configure this policy setting the Kerberos client or server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> Lsa -> Kerberos -> Parameters which was added in Windows XP and Windows Server 2003 with a default value of 12000 bytes. Beginning with Windows 8 the default is 48000 bytes. Due to HTTP’s base64 encoding of authentication context tokens it is not advised to set this value more than 48000 bytes.
Support compound authentication
This policy setting controls configuring the device’s Active Directory account for compound authentication. Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy “Support Dynamic Access Control and Kerberos armoring” on all the domain controllers to support this policy. If you enable this policy setting the device’s Active Directory account will be configured for compound authentication by the following options:Never: Compound authentication is never provided for this computer account. Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. Always: Compound authentication is always provided for this computer account. If you disable this policy setting Never will be used. If you do not configure this policy setting Automatic will be used.
Fail authentication requests when Kerberos armoring is not available
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. Warning: When a domain does not support Kerberos armoring by enabling “Support Dynamic Access Control and Kerberos armoring” then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. Note: The Kerberos Group Policy “Kerberos client support for claims compound authentication and Kerberos armoring” must also be enabled to support Kerberos armoring. If you disable or do not configure this policy setting the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.