Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
RU-PO-WIN-C-PCI Policy for all Terminal Servers
Data collected on: 2-9-2025 08:52:40
General
Details
Domainemea.tpg.ads
OwnerEMEA\kornev.5
Created16-1-2015 06:26:26
Modified24-6-2025 14:12:12
User Revisions3 (AD), 3 (SYSVOL)
Computer Revisions203 (AD), 203 (SYSVOL)
Unique ID{b945a0e8-9b74-4e08-b5e0-593501696dde}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
MOSNoEnabledemea.tpg.ads/RU/Systems/Servers/MOS
Tier2NoEnabledemea.tpg.ads/RU/Systems/Servers/Tier2
VGGNoEnabledemea.tpg.ads/RU/Systems/Servers/VGG
VLDNoEnabledemea.tpg.ads/RU/Systems/Servers/VLD

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
EMEA\RU-L-SEC-GPO Terminal Servers
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
EMEA\Domain AdminsEdit settings, delete, modify securityNo
EMEA\Domain ComputersReadNo
EMEA\kornev.5Edit settings, delete, modify securityNo
EMEA\RU-L-SEC-Delegation Group Policy Objects Modify AccessEdit settings, delete, modify securityNo
EMEA\RU-L-SEC-GPO Terminal ServersRead (from Security Filtering)No
NT AUTHORITY\Authenticated UsersReadNo
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
ROOT\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Account Policies/Password Policy
PolicySetting
Enforce password history24 passwords remembered
Maximum password age60 days
Minimum password age1 days
Minimum password length12 characters
Password must meet complexity requirementsEnabled
Store passwords using reversible encryptionDisabled
Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration30 minutes
Account lockout threshold6 invalid logon attempts
Reset account lockout counter after30 minutes
Local Policies/Audit Policy
PolicySetting
Audit account logon eventsSuccess, Failure
Audit account managementSuccess, Failure
Audit directory service accessSuccess
Audit logon eventsSuccess, Failure
Audit object accessSuccess, Failure
Audit policy changeSuccess, Failure
Audit privilege useSuccess, Failure
Audit process trackingSuccess, Failure
Audit system eventsSuccess, Failure
Local Policies/User Rights Assignment
PolicySetting
Access this computer from the networkBUILTIN\Administrators, NT AUTHORITY\Authenticated Users
Adjust memory quotas for a processBUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Allow log on locallyBUILTIN\Administrators
Change the system timeBUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Deny access to this computer from the networkNT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests
Force shutdown from a remote systemBUILTIN\Administrators
Generate security auditsNT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Increase scheduling priorityBUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memoryBUILTIN\Administrators
Manage auditing and security logBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Profile system performanceBUILTIN\Administrators
Remove computer from docking stationBUILTIN\Administrators
Restore files and directoriesBUILTIN\Administrators
Shut down the systemBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Guest account statusDisabled
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Accounts: Rename administrator account"uoincs"
Accounts: Rename guest account"xGuest"
Audit
PolicySetting
Audit: Audit the access of global system objectsDisabled
Audit: Audit the use of Backup and Restore privilegeDisabled
Audit: Shut down system immediately if unable to log security auditsDisabled
Devices
PolicySetting
Devices: Allow undock without having to log onDisabled
Devices: Allowed to format and eject removable mediaAdministrators
Devices: Prevent users from installing printer driversEnabled
Devices: Restrict CD-ROM access to locally logged-on user onlyEnabled
Devices: Restrict floppy access to locally logged-on user onlyEnabled
Domain Controller
PolicySetting
Domain controller: Allow server operators to schedule tasksDisabled
Domain controller: Refuse machine account password changesDisabled
Domain Member
PolicySetting
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive Logon
PolicySetting
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Don't display last signed-inEnabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)0 logons
Interactive logon: Prompt user to change password before expiration7 days
Interactive logon: Require Domain Controller authentication to unlock workstationEnabled
Interactive logon: Smart card removal behaviorForce Logoff
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Disabled
Microsoft network client: Digitally sign communications (if server agrees)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Microsoft Network Server
PolicySetting
Microsoft network server: Amount of idle time required before suspending session15 minutes
Microsoft network server: Digitally sign communications (always)Enabled
Microsoft network server: Digitally sign communications (if client agrees)Enabled
Microsoft network server: Disconnect clients when logon hours expireEnabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Do not allow storage of passwords and credentials for network authenticationDisabled
Network access: Let Everyone permissions apply to anonymous usersDisabled
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: Force logoff when logon hours expireEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only
Network security: LDAP client signing requirementsRequire signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Recovery Console
PolicySetting
Recovery console: Allow automatic administrative logonDisabled
Recovery console: Allow floppy copy and access to all drives and all foldersDisabled
Shutdown
PolicySetting
Shutdown: Allow system to be shut down without having to log onDisabled
Shutdown: Clear virtual memory pagefileEnabled
System Cryptography
PolicySetting
System cryptography: Force strong key protection for user keys stored on the computerUser is prompted when the key is first used
System Objects
PolicySetting
System objects: Require case insensitivity for non-Windows subsystemsEnabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
Registry Values
PolicySetting
MACHINE\Software\Microsoft\Driver Signing\Policy2
Restricted Groups
GroupMembersMember of
BUILTIN\AdministratorsEMEA\RU-L-SEC-Delegation Local Administration Rights RUVLDTERM, EMEA\RU-L-SEC-Delegation Local Administration Rights RUTERM, EMEA\RU-G-ORG-Systems Admins, EMEA\EMEA-G-ORG-DirectoryServices Admins, EMEA\Domain Admins
System Services
AeLookupSvc (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Alerter (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Application Layer Gateway Service (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Application Management (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
ASP.NET State Service (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Audio (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
BITS (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Browser (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
CiSvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
ClipSrv (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
clr_optimization_v2.0.50727_32 (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
COM+ System Application (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Cryptographic Services (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
DCOM Server Process Launcher (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Dfs (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
DHCP Client (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
dmadmin (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
dmserver (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
ERSvc (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Event Log (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
COM+ Event System (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
FontCache3.0.0.0 (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
helpsvc (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Human Interface Device Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
HTTPFilter (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
idsvc (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
ImapiService (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
IsmServ (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
kdc (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Server (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Workstation (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
LicenseService (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
TCP/IP NetBIOS Helper (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Messenger (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
mnmsrvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Distributed Transaction Coordinator (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Installer (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
NetDDE (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
NetDDEdsdm (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Netlogon (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Network Connections (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Net.Tcp Port Sharing Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Nla (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
NtFrs (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
NtLmSsp (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
NtmsSvc (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Plug and Play (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
IPsec Policy Agent (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
ProtectedStorage (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Access Auto Connection Manager (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Access Connection Manager (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
RDSessMgr (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Routing and Remote Access (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Registry (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Procedure Call (RPC) Locator (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Procedure Call (RPC) (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Resultant Set of Policy Provider (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Special Administration Console Helper (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Security Accounts Manager (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Smart Card (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Task Scheduler (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Secondary Logon (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
System Event Notification Service (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Shell Hardware Detection (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
SNMP Service (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
SNMP Trap (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Print Spooler (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Image Acquisition (WIA) (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Microsoft Software Shadow Copy Provider (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
SysmonLog (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Desktop Services (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Themes (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
TlntSvr (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
TrkSvr (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Distributed Link Tracking Client (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Desktop Connection Broker (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
UMWdf (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
UPS (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Virtual Disk (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Volume Shadow Copy (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Time (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
W3SVC (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
WebClient (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Management Instrumentation (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
WmdmPmSN (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Wmi (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
WMI Performance Adapter (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Update (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
WZCSVC (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
xmlprov (Startup Mode: Manual)
Permissions
No permissions specified
Auditing
No auditing specified
File System
%SystemRoot%\System32\at.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\cacls.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\cmd.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\debug.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\drwatson.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\drwtsn32.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\edlin.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\eventcreate.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\eventtriggers.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\ftp.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\net.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\net1.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\netsh.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\rcp.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\reg.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\regedit.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\regedt32.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\regsvr32.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\rexec.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\rsh.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\runas.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\sc.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\ServerManager.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\subst.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\telnet.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\tftp.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowNT AUTHORITY\INTERACTIVEFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\system32\tlntsrv.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
Public Key Policies/Certificate Path Validation Settings/Stores
PolicySetting
Allow user trusted root Certificate Authorities (CAs) to be used to validate certificatesEnabled
Allow users to trust peer trust certificatesEnabled
Peer trust certificate purposes:Client Authentication; Secure Email; Encrypting File System
Root CAs that client computers can trust:Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
For certificate-based authentication of users and computers, along with CAs that are registered in Active Directory, the client computer must use should also use user principal name (UPN) constraint compliant CAsDisabled
Public Key Policies/Certificate Path Validation Settings/Trusted Publishers
PolicySetting
Trusted Publishers can be managed by:All administrators only
Verify that certificate is not revoked when addingEnabled
Verify that certificate has a valid time stamp when addingDisabled
Public Key Policies/Certificate Path Validation Settings/Network Retrieval
PolicySetting
Default URL retrieval timeout in seconds15
Default path validation cumulative timeout in seconds20
Allow issuer certificate retrieval during path validationEnabled
Default cross-certificate download interval in hours168
Public Key Policies/Certificate Path Validation Settings/Revocation
PolicySetting
Always prefer Certificate Revocation Lists (CRLs) over Online Certificate Status Protocol (OCSP) responsesDisabled
Allow CRLs and OCSP responses to be valid longer than their lifetimeDisabled
Software Restriction Policies
Enforcement
PolicySetting
Apply Software Restriction Policies to the followingAll software files except libraries (such as DLLs)
Apply Software Restriction Policies to the following usersAll users
When applying Software Restriction PoliciesIgnore certificate rules
Designated File Types
File ExtensionFile Type
ADEADE File
ADPADP File
BASBAS File
BATWindows Batch File
CHMCompiled HTML Help file
CMDWindows Command Script
COMMS-DOS Application
CPLControl panel item
CRTSecurity Certificate
EXEApplication
HLPHelp file
HTAHTML Application
INFSetup Information
INSINS File
ISPISP File
LNKShortcut
MDBMDB File
MDEMDE File
MSCMicrosoft Common Console Document
MSIWindows Installer Package
MSPWindows Installer Patch
MSTMST File
OCXActiveX control
PCDPCD File
PIFShortcut to MS-DOS Program
REGRegistration Entries
SCRScreen saver
SHSSHS File
URLInternet Shortcut
VBVisual Basic Source File
WSCWindows Script Component
Trusted Publishers
Trusted publisher managementAllow only all administrators to manage Trusted Publishers
Certificate verificationVerify that certificate is not revoked when adding
Software Restriction Policies/Security Levels
PolicySetting
Default Security LevelUnrestricted
Software Restriction Policies/Additional Rules
Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security LevelUnrestricted
Description
Date last modified5-8-2013 08:26:02
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security LevelUnrestricted
Description
Date last modified5-8-2013 08:26:02
%USERPROFILE%\Downloads\SkypeForBusinessPlugin.msi
Security LevelUnrestricted
Description
Date last modified1-9-2016 04:52:26
Advanced Audit Configuration
Object Access
PolicySetting
Audit Filtering Platform ConnectionFailure
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off Automatic Root Certificates UpdateDisabled
System/User Profiles
PolicySettingComment
Delete cached copies of roaming profilesEnabled
Delete user profiles older than a specified number of days on system restartEnabled
Delete user profiles older than (days)4
Windows Components/AutoPlay Policies
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Allow audio and video playback redirectionEnabled
Allow audio recording redirectionEnabled
Do not allow smart card device redirectionDisabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Server authentication certificate templateEnabled
Certificate Template NameTPEMEA-RDPAE2years
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits
PolicySettingComment
Set time limit for active but idle Remote Desktop Services sessionsEnabled
Idle session limit:1 hour
PolicySettingComment
Set time limit for disconnected sessionsEnabled
End a disconnected session15 minutes
Windows Components/RSS Feeds
PolicySettingComment
Turn off background synchronization for feeds and Web SlicesEnabled
Windows Components/Windows Installer
PolicySettingComment
Turn off Windows InstallerEnabled
Disable Windows InstallerNever
Preferences
Windows Settings
Registry
Enabled (Order: 1)
General
ActionCreate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
Value nameEnabled
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
RC2 128/128 (Order: 2)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSystem\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Triple DES 168/168 (Order: 3)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSystem\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
DisableServerHeader (Order: 4)
General
ActionCreate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value nameDisableServerHeader
Value typeREG_DWORD
Value data0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
CWDIllegalInDllSearch (Order: 5)
General
ActionCreate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\Session Manager
Value nameCWDIllegalInDllSearch
Value typeREG_DWORD
Value data0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Enabled (Order: 6)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSystem\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128
Value nameEnabled
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
VisualFXSetting (Order: 7)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects
Value nameVisualFXSetting
Value typeREG_DWORD
Value data0x3 (3)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
DefaultValue (Order: 8)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow
Value nameDefaultValue
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Triple DES 168 Disable (Order: 9)
General
ActionCreate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168
Value nameEnabled
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
LogFileName (Order: 10)
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
Value nameLogFileName
Value typeREG_SZ
Value dataC:\TEMP\SRP\SRP.log
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: Protocols
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/PCT 1.0
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: PCT 1.0
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/PCT 1.0/Server
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: Enabled
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
Value nameEnabled
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/SSL 2.0
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: SSL 2.0
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/SSL 2.0/Server
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: Enabled
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Value nameEnabled
Value typeREG_DWORD
Value data0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: restrictanonymous
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\Lsa
Value namerestrictanonymous
Value typeREG_DWORD
Value data0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Registry item: CWDIllegalInDllSearch
General
ActionUpdate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSYSTEM\CurrentControlSet\Control\Session Manager
Value nameCWDIllegalInDllSearch
Value typeREG_DWORD
Value data0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
User Configuration (Disabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Windows Components/Internet Explorer/Internet Control Panel/Security Page
PolicySettingComment
Site to Zone Assignment ListEnabled
Enter the zone assignments here. 
2http://*.microsoft.com;https://*.microsoft.com
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingEnable