Security settings and user rights assignments can be changed in local policies and group policies to help tighten the security on domain controllers and member computers. However, the downside of increased security is the introduction of incompatibilities with clients, services, and programs.
This article describes incompatibilities that can occur on client computers that are running Windows XP, or an earlier version of Windows, when you change specific security settings and user rights assignments in a Windows Server 2003 domain or an earlier Windows Server domain.
For information about Group Policy for Windows 7, Windows Server 2008 R2, and Windows Server 2008, see the following articles:
This article describes incompatibilities that can occur on client computers that are running Windows XP, or an earlier version of Windows, when you change specific security settings and user rights assignments in a Windows Server 2003 domain or an earlier Windows Server domain.
For information about Group Policy for Windows 7, Windows Server 2008 R2, and Windows Server 2008, see the following articles:
- For Windows 7, see Group Policy management for IT pros
- For Windows 7, and Windows Server 2008 R2, see What's New in Group Policy
- For Windows Server 2008, see Information about new Group Policy preferences in Windows Server 2008
Windows XP
To increase the awareness of misconfigured security settings, use the Group Policy Object Editor tool to change security settings. When you use Group Policy Object Editor, user rights assignments are enhanced on the following operating systems:
This article contains examples of clients, programs, and operations that are affected by specific security settings or user rights assignments. However, the examples are not authoritative for all Microsoft operating systems, for all third-party operating systems, or for all program versions that are affected. Not all security settings and user rights assignments are included in this article.
We recommend that you validate the compatibility of all security-related configuration changes in a test forest before you introduce them in a production environment. The test forest must mirror the production forest in the following ways:
- Windows XP Professional Service Pack 2 (SP2)
- Windows Server 2003 Service Pack 1 (SP1)
This article contains examples of clients, programs, and operations that are affected by specific security settings or user rights assignments. However, the examples are not authoritative for all Microsoft operating systems, for all third-party operating systems, or for all program versions that are affected. Not all security settings and user rights assignments are included in this article.
We recommend that you validate the compatibility of all security-related configuration changes in a test forest before you introduce them in a production environment. The test forest must mirror the production forest in the following ways:
- Client and server operating system versions, client and server programs, service pack versions, hotfixes, schema changes, security groups, group memberships, permissions on objects in the file system, shared folders, the registry, Active Directory directory service, local and Group Policy settings, and object count type and location
- Administrative tasks that are performed, administrative tools that are used, and operating systems that are used to perform administrative tasks
- Operations that are performed, such as the following:
- Computer and user logon authentication
- Password resets by users, by computers, and by administrators
- Browsing
- Setting permissions for the file system, for shared folders, for the registry, and for Active Directory resources by using ACL Editor in all client operating systems in all account or resource domains from all client operating systems from all account or resource domains
- Printing from administrative and nonadministrative accounts
Windows Server 2003 SP1
Warnings in Gpedit.msc
To help make customers aware that they are editing a user right or security option that could have adversely affect their network, two warning mechanisms were added to gpedit.msc. When administrators edit a user right that can adversely affect the whole enterprise, they will see a new icon that resembles a yield sign. They will also receive a warning message that has a link to Microsoft Knowledge Base article 823659. The text of this message is as follows: If you were directed to this Knowledge Base article from a link in Gpedit.msc, make sure that you read and understand the explanation provided and the possible effect of changing this setting. The following lists User Rights that contain the warning text:- Access this computer from network
- Log on locally
- Bypass traverse checking
- Enable computers and users for trusted delegation
- Domain Member: Digitally encrypt or sign secure channel data (always)
- Domain Member: Require strong (Windows 2000 or a later version) session key
- Domain Controller: LDAP server signing requirements
- Microsoft network server: Digitally sign communications (always)
- Network Access: Allows Anonymous Sid / Name translation
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares
- Network security: LAN Manager Authentication level
- Audit: Shut down system immediately if unable to log security audits
- Network Access: LDAP client signing requirements