Windows 7 / Security and Privacy

---

Configuring User Account Policies

Because domain controllers share the domain accounts database, user account policies must be consistent across all domain controllers. The way consistency is ensured is by having domain controllers obtain user account policies only from the domain container and only allowing one top-level account policy for domain accounts. The one top-level account policy allowed for domain accounts is determined by the highest precedence Group Policy object (GPO) linked to the domain container. This top-level account policy is then enforced by the domain controllers in the domain. Domain controllers always obtain the top-level account policy from the highest precedence GPO linked to the domain container. By default, this is the Default Domain Policy GPO.

When a domain is operating at the Windows Server 2008 functional level, two new object classes in the Active Directory schema allow you to fine-tune the way account policy is applied:

• Password Settings container
• Password Settings object

The default Password Settings container (PSC) is created under the System container in the domain, and it stores the Password Settings objects (PSOs) for the domain. Although you cannot rename, move, or delete the default PSC, you can add PSOs to this container that define the various sets of secondary account policy settings you want to use in your domain. You can then apply the desired secondary account policy settings to users, inetOrgPersons, and global security groups as discussed in "Creating Password Settings Objects and Applying Secondary Settings" upcoming section.

The account policies for a domain contain three subsets-Password Policy, Account Lockout Policy, and Kerberos Policy. Although secondary account policies include Password Policy and Account Lockout Policy, they do not include Kerberos Policy. Kerberos Policy can only be set at the domain level for the top-level account policy.

Local Account Policy Is Used for Local Log On
Local account policies can be different from the domain account policy, such as when you specifically define an account policy for local accounts in a computer's local GPO (LGPO). For example, if you configure an account policy for a computer's LGPO, when users log on to Active Directory they'll obtain their account policy from the Default Domain Policy instead of the LGPO. The only exception is when users log on locally to their machines instead of logging on to Active Directory; in that case any account policy applied to their machine's local GPO is applied and enforced.

Some Security Options Are Also Obtained from the Default Domain Policy GPO
Two policies in Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options also behave like account policies. These policies are Network Access: Allow Anonymous SID/NAME Translation and Network Security: Force Logoff When Logon Hours Expire. For domain accounts, the settings for these policies are obtained only from the Default Domain Policy GPO. For local accounts, the settings for these policies can come from a local OU GPO if one is defined and applicable.