Category: At least Windows Vista
Allow certificates with no extended key usage certificate attribute
This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. If you enable this policy setting certificates with the following attributes can also be used to log on with a smart card:- Certificates with no EKU- Certificates with an All Purpose EKU- Certificates with a Client Authentication EKUIf you disable or do not configure this policy setting only certificates that contain the smart card logon object identifier can be used to log on with a smart card.
Prevent users from sharing files within their profile.
This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. If you enable this policy setting users cannot share files within their profile using the sharing wizard. Also the sharing wizard cannot create a share at %root% -> users and can only be used to create SMB shares on folders. If you disable or don’t configure this policy setting users can share files out of their user profile after an administrator has opted in the computer.
Allow logon scripts when NetBIOS or WINS is disabled
This policy setting allows user logon scripts to run when the logon cross-forest DNS suffixes are not configured and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. If you disable or do not configure this policy setting user account cross-forest interactive logging cannot run logon scripts if NetBIOS or WINS is disabled and the DNS suffixes are not configured.
All Removable Storage: Allow direct access in remote sessions
This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting remote users can open direct handles to removable storage devices in remote sessions. If you disable or do not configure this policy setting remote users cannot open direct handles to removable storage devices in remote sessions.
WPD Devices: Deny write access
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays and CE devices. If you enable this policy setting write access is denied to this removable storage class. If you disable or do not configure this policy setting write access is allowed to this removable storage class.
WPD Devices: Deny write access
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays and CE devices. If you enable this policy setting write access is denied to this removable storage class. If you disable or do not configure this policy setting write access is allowed to this removable storage class.
Tape Drives: Deny read access
This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting read access is denied to this removable storage class. If you disable or do not configure this policy setting read access is allowed to this removable storage class.
Tape Drives: Deny read access
This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting read access is denied to this removable storage class. If you disable or do not configure this policy setting read access is allowed to this removable storage class.
All Removable Storage classes: Deny all access
Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes use the policy settings available for each class. If you enable this policy setting no access is allowed to any removable storage class. If you disable or do not configure this policy setting write and read accesses are allowed to all removable storage classes.
All Removable Storage classes: Deny all access
Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes use the policy settings available for each class. If you enable this policy setting no access is allowed to any removable storage class. If you disable or do not configure this policy setting write and read accesses are allowed to all removable storage classes.