Professional Documents
Culture Documents
This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (admx/adml) delive
Windows Server® 2008 R2 and Windows® 7. The policy settings included in this spreadsheet cover Windows 7, Windows Server 2008 R2,
Windows Server 2008, Windows Vista with SP1, Microsoft Windows Server 2003 with SP2 or earlier service packs, Windows XP Professiona
or earlier service packs, and Windows 2000 with SP5 or earlier service packs. These files are used to expose policy settings when you edit
Group Policy objects (GPOs) using the Group Policy Management Console (GPMC).
You can use the filtering capabilities included in this spreadsheet to view a specific subset of data based on one value or a combination of val
in one or more of the columns. In addition, you can click Custom in the drop-down list of any of the column headings to add additional filtering
To view a specific subset of data, click the drop-down arrow in the column heading of cells that contain the value or combination of values on
and then click the desired value in the drop-down list. For example, to view a subset of policy settings that are available for Windows Server 2
Administrative Template worksheet, click the drop-down arrow next to Supported On, and then click At least Microsoft Windows Server 2
What's New
The spreadsheet contains three columns that provide more information about each policy setting's behavior related to reboots, logoffs, and sc
These columns are the following:
Reboot Required: A "Yes" in this column means Windows requires a restart before it applies the described policy setting.
Logoff Required: A "Yes" in this column means Windows requires the user to log off and log on again before it applies the described polic
Active Directory Schema or Domain Requirements: A "Yes" in this column means you extend your Active Directory Schema before dep
Legal Notice
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Becaus
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMAT
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be repro
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express wr
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except
agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein
company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.
Restricted Groups
System Services
Registry
File System
Supported On
Retention method
This setting for change
does not application
the log
behavior of the UAC elevation prompt for administrators.
This
If yousecurity
plan to setting
enable determines
this setting,the
you"wrapping" method
should also reviewfor
thethe application
effect log. Account Control: Behavior of the elevation prompt for standard users" setting. I
of the "User
If you do not archive the application log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite eve
If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite
If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not over
Note: This setting does not appear in the Local Computer Policy object.
Default: None.
Retention method for security log
This security setting determines the "wrapping" method for the security log.
If you do not archive the security log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events
If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite
If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not over
Notes
This setting does not appear in the Local Computer Policy object.
A user must possess the Manage auditing and security log user right to access the security log.
Default: None.
Retention method for system log
This security setting determines the "wrapping" method for the system log.
If you do not archive the system log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events
If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite
.If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not over
Note: This setting does not appear in the Local Computer Policy object.
Default: None.
Restricted Groups
This security setting allows an administrator to define two properties for security-sensitive groups ("restricted" groups).
The two properties are Members and Member Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list
When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members l
You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that ar
column.
For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group
Define the policy in a security template, which will be applied during configuration on your local computer.
Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are re
Default: None specified.
Caution
If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This
Notes
Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belong
System Services security settings
Allows an administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system se
Default: Undefined.
Notes
This setting does not appear in the Local Computer Policy object.
If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention.
For performance optimization, set unnecessary or unused services to Manual.
Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Default: Undefined.
Note: This setting does not appear in the Local Computer Policy object.
File System security settings
Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Default: Undefined.
Note: This setting does not appear in the Local Computer Policy object.
Reboot Comments
Required
No
No
No
No
No
No
No
No
No
No clients will get the new
setting after a maximum
No clients will but
of 8 hours get for
theDCsnew
setting
to assignafter a maximum
these new
No clients
of will but
8 hours get for
theDCsnew
settings
setting a Gpupdate
after a maximum
No to assign
/force
clientsis these
required
will get new
the ornew
of 8 hours
settings but for DCs
a Gpupdate
waiting
setting
to assignfor
afterthe usual
a maximum
these new 5
No /force
clients
minutes
of iswill
8 hoursrequired
whenbut theor
get for
the new
SCE
DCs
settings
waiting a Gpupdate
forthese
the usual
setting
engine
to after
isassigns
assign
/force required new 5
a maximum
all
No minutes
of 8 hours
modified
settings when
a theor
but for
settings.
Gpupdate SCE
DCs
waiting
engine
to assignforthese
the usual
assigns all
new 5
No /force
minutesis required
when or
the SCE
modified
settings
waiting asettings.
Gpupdate
for the usual
engine
/force isassigns
required all 5
No minutes when
modifiedfor theor
settings. SCE
waiting
engine assigns all 5
the usual
No minutes when the SCE
modified settings.
No engine assigns all
modified settings.
No
No
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000
Server, Windows 2000
No Logoff required
Professional, Windows
No XP Professional,
Note: See also the and
the Windows Server
corresponding Windows
No 2003
Serverfamily,
Logoff 2003 the
required Task
Allow log
Scheduler
on locally automatically
policy
No Logoff
grants required
setting,this rightinas
earlier this
No necessary.
worksheet.
Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No
No
No
No
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to
take effect, the spooler
No service needs to be
No stopped/restarted, but
the system does not
No have to be rebooted.
Yes Restart of service might
be sufficient
No
No
No Important: In order to
take advantage of this
No policy on member
No workstations and
servers, all domain
No controllers that
constitute the member’s
domain must be running
Windows NT 4.0
Service Pack 6 or
higher.
In order to take
No Important: This setting
applies to Windows
No 2000 computers, but it
No is not available through
the Security
Configuration Manager
tools on these
No computers.
No
No
No
No
No Important: This setting
applies to Windows
No Important:
2000 computers, This setting
but it
will apply
is not to anythrough
available
No Only LogOff
computers is required
running
the Security
for W2K, XP and W2K3
Windows
Configuration2000 through
Yes Important:
computers.
changes InManager
For
in the
this
Vista,
registry,
tools
policy on
to these
take
start/restart effect
the settingon
Yes but the security
computers.
computers running
scpolicysvc
is not viewable will work or
Yes Windows
LogOff 2000,through
client-
the Security
side packet signing
Yes Configuration Manager
must also be enabled.
tool more
For set. information,
Yes Important: For this
search for "Security
policy
Settingsto Descriptions"
take effect on
No computers running
in the Windows Server
No Windows
2003 Help. 2000, server-
side packet signing
No must also be enabled.
For more information,
No search for "Security
No Settings
Important: Descriptions"
This policy
in
hasthenoWindows
impact on Server
No 2003 Help.
domain controllers. For
No more information,
search for "Security
No Settings Descriptions"
in the Windows Server
Yes 2003 Help.
No Important: The
Network access:
No Important: On
Remotely accessible
Windows
registry pathsXP, this security
Yes security setting was on
setting that appears
Yes called
computers"Networkrunning access:
Remotely
Windows XP accessible
No registry
Important:
correspondspaths." to If
This you
setting
the
configure
only affects
Network this setting on
computers
access:
No Important:
a member
running ofWindows
Windows the XP
Remotely
2000 Service accessible
Pack 2
No Windows
Professional
registry Server
paths which 2003
and are
(SP2)
family
not and
that
joined above
is
to joined
a offer
domain.to a
subpaths
compatibility security
with
No domain,
This
Important:
policy thiswill
policy
setting setting
This
onhave is
no
setting
authentication
inherited
impact
can onby
affect to
computers
computers
the ability of
Yes members
previous of the
versions Wi of
running Windows
computers running2000.
Windows,
For more
Windows such Server,
as
information,
2000
No Warning:
Microsoft This setting
search
Windows
will applyforWindows
"Security
2000
to any
NT
No 4.0.
Setting Descriptions"
Professional,
Warning: This settingin
Windows
computers
This setting running
can affect
the
XP
will Win
Professional,
apply
Windows to
2000 and
anythrough
No the
the ability
Windows
computers ofrunning
computers
Server
changes
running in the
Windows registry
2000
No 2003
Windows
but thefamily2000
securityto through
setting
Server,
communicate
changes Windows
thewith
inviewable 2000
registry
will
Pr not be
No computers
but
through therunning
the security setting
Security
Windows
will not beNT
Configuration 4.0
viewable and
Manager
No earlier
tool set.over
through For the
the netwo
Security
more
No Configuration
information, search Manager for
tool set. For
"Security moreDe
Setting
No information, search for
"Security Setting De
No
No
No
No
No
No Require restart of
recovery console
No Require restart of
recovery console
No Requires logoff
Requires reboot with
Yes CNG
Vista on Vista;
does NOTDoes not
require
require
reboot reboot with
No CAPI on Vista; Does not
require reboot on XP,
Yes 2003 with CAPI
No This policy does not
exist on Vista
Yes
Yes
Yes
No
No
No
No
No
No
No
Yes
No
No
No
No Note: This setting does
not appear in the Local
No Note:
Computer ThisPolicy
settingobject.
does
not appear in the Local
No Note:
Computer ThisPolicy
settingobject.
does
not appear in
Important: the Local
Modifying
No Notes: This
Computer setting
Policy object.
this
doessetting may affect
not appear in the
No compatibility
Notes: This with
setting
Local Computer Policy
clients,
does
object. notservices,
appear in andthe
No Note: This setting
applications.
Local Computer For does
Policy
Thisappear
not security in setting
the Local
No compatibility
object.
affects
Notes: only
This information
computers
setting
Computer
about
This this
securityPolicy
setting, object.
settingsee
running
does
This not Windows
appear
security in2000,
setting the
No the "Event
affects
Notes:
Windows
Local only
ThisLog:
Computercomputers
setting
Server 2003,
Policy
affects
Maximum
running
does only computers
sec XP.in2000,
notWindows
appear the
No and
Note: Windows
object.
running Windows
This setting 2000,
does
Windows
Local
A user mustServer
Computer 2003,
Policy
possess
Windows
not
and appear
Windows
object. ServerXP.2003,
in the Local
the
and Manage
Windows
Computer auditing
PolicyXP.object.
A
anduser must
security possess
log user
the Manage
right to access auditing
the
and security
security log. log user
right to acces