Category: At least Windows Vista

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating default credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating default credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating default credentials” server list.

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined by default the delegation of saved credentials is not permitted to any machine. If you disable this policy setting delegation of saved credentials is not permitted to any machine. Note: The “Allow delegating saved credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of saved credentials is not permitted to any machine. Note: The “Allow delegating saved credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com

This policy setting specifies a default logon domain which might be a different domain than the domain to which the computer is joined. Without this policy setting at logon if a user does not specify a domain for logon the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain the default domain for user logon is Fabrikam. If you enable this policy setting the default logon domain is set to the specified domain which might be different than the domain to which the computer is joined. If you disable or do not configure this policy setting the default logon domain is always set to the domain to which the computer is joined.

This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. Note: The default account picture is stored at %PROGRAMDATA% -> Microsoft -> User Account Pictures -> user. jpg. The default guest picture is stored at %PROGRAMDATA% -> Microsoft -> User Account Pictures -> guest. jpg. If the default pictures do not exist an empty frame is displayed. If you enable this policy setting the default user account picture will display for all users on the system with no customization allowed. If you disable or do not configure this policy setting users will be able to customize their account pictures.

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of fresh credentials is not permitted to any machine. Note: The “Allow delegating fresh credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of fresh credentials is not permitted to any machine. Note: The “Allow delegating fresh credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. comRemote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting delegation of default credentials is not permitted to any machine. Note: The “Allow delegating default credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. If you disable or do not configure (by default) this policy setting delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information see KB. FWlink for KB:http://go. microsoft. com/fwlink/?LinkId=301508Note: The “Allow delegating default credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. com

This policy setting allows the administrator to exclude the specifiedcredential providers from use during authentication. Note: credential providers are used to process and validate usercredentials during logon or when authentication is required. Windows Vista provides two default credential providers:Password and Smart Card. An administrator can install additionalcredential providers for different sets of credentials(for example to support biometric authentication). If you enable this policy an administrator can specify the CLSIDsof the credential providers to exclude from the set of installedcredential providers available for authentication purposes. If you disable or do not configure this policy all installed and otherwise enabled credential providers are available for authentication purposes.