Category: At least Windows Vista

This policy setting allows you to hide the Switch User interface in the Logon UI the Start menu and the Task Manager. If you enable this policy setting the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI the Start menu and the Task Manager. If you disable or do not configure this policy setting the Switch User interface is accessible to the user in the three locations.

This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. If you enable this policy setting additional options are available to fine-tune your selection. You may choose the “Allow operation while in domain” option to allow the Responder to operate on a network interface that’s connected to a managed network. On the other hand if a network interface is connected to an unmanaged network you may choose the “Allow operation while in public network” and “Prohibit operation while in private network” options instead. If you disable or do not configure this policy setting the default behavior for the Responder will apply.

This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it’s connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. If you enable this policy setting additional options are available to fine-tune your selection. You may choose the “Allow operation while in domain” option to allow LLTDIO to operate on a network interface that’s connected to a managed network. On the other hand if a network interface is connected to an unmanaged network you may choose the “Allow operation while in public network” and “Prohibit operation while in private network” options instead. If you disable or do not configure this policy setting the default behavior of LLTDIO will apply.

This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems. If you enable or do not configure this policy setting the DPS enables Windows Memory Leak Diagnosis by default. If you disable this policy setting the DPS is not able to diagnose memory leak problems. This policy setting takes effect only under the following conditions: — If the diagnostics-wide scenario execution policy is not configured. — When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. Note: The DPS can be configured with the Services snap-in to the Microsoft Management Console. No operating system restart or service restart is required for this policy to take effect. Changes take effect immediately.

This policy setting controls the Kerberos client’s behavior in validating the KDC certificate for smart card and system certificate logon. If you enable this policy setting the Kerberos client requires that the KDC’s X. 509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions and that the KDC’s X. 509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain the Kerberos client requires that the KDC’s X. 509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC’s X. 509 certificate. If you disable or do not configure this policy setting the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.

This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms as defined by this policy setting. If you enable this policy setting you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm enable the policy setting note the syntax and then click Show. In the Show Contents dialog box in the Value Name column type the interoperable Kerberos V5 realm name. In the Value column type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list click the entry and then press the DELETE key. To edit a mapping remove the current entry from the list and add a new one with different parameters. If you disable this policy setting the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. If you do not configure this policy setting the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry if they exist.

If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if the “Do not allow sessions without mutual CHAP” setting is enabled then that setting overrides this one.

If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.

If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established.

If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed.