Windows 身份验证中使用的组策略设置Group Policy Settings Used in Windows Authentication

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本参考主题面向 IT 专业人员,介绍了身份验证过程中组策略设置的使用和影响。This reference topic for the IT professional describes the use and impact of Group Policy settings in the authentication process.

你可以通过将用户、计算机和服务帐户添加到组,然后将身份验证策略应用于这些组,来管理 Windows 操作系统中的身份验证。You can manage authentication in Windows operating systems by adding user, computer, and service accounts to groups, and then by applying authentication policies to those groups. 这些策略定义为本地安全策略和管理模板,也称为组策略设置。These policies are defined as local security policies and as administrative templates, also known as Group Policy settings. 通过使用组策略,可以在整个组织中配置和分发这两个集。Both sets can be configured and distributed throughout your organization by using Group Policy.

备注

Windows Server 2012 R2 中引入的功能使你可以使用受保护的帐户为目标服务或应用程序(通常称为身份验证接收器)配置身份验证策略。Features introduced in Windows Server 2012 R2 , let you configure authentication policies for targeted services or applications, commonly called authentication silos, by using protected accounts. 有关如何在 Active Directory 中执行此操作的信息,请参阅如何配置受保护的帐户For information about how to do this in Active Directory, see How to Configure Protected Accounts.

例如,你可以根据组织中的功能,将以下策略应用于组:For example, you can apply the following policies to groups, based on their function in the organization:

  • 本地登录或登录到域Log on locally or to a domain

  • 通过网络登录Log on over a network

  • 重置帐户Reset accounts

  • 创建帐户Create accounts

下表列出了与身份验证相关的策略组,并提供指向可帮助你配置这些策略的文档的链接。The following table lists policy groups relevant to authentication and provides links to documentation that can help you configure those policies.

策略组Policy group LocationLocation 描述Description
密码策略Password Policy 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 Settings\Account 策略Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies 密码策略影响密码的特征和行为。Password policies affect the characteristics and behavior of passwords. 密码策略用于域帐户或本地用户帐户。Password policies are used for domain accounts or local user accounts. 它们确定密码设置,如强制和生存期。They determine settings for passwords, such as enforcement and lifetime.

有关特定设置的信息,请参阅密码策略For information about specific settings, see Password Policy.
帐户锁定策略Account Lockout Policy 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 Settings\Account 策略Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies 帐户锁定策略选项在失败的登录尝试次数后禁用帐户。Account lockout policy options disable accounts after a set number of failed logon attempts. 使用这些选项可帮助检测和阻止破解密码的尝试。Using these options can help you detect and block attempts to break passwords.

有关帐户锁定策略选项的信息,请参阅帐户锁定策略For information about account lockout policy options, see Account Lockout Policy.
Kerberos 策略Kerberos Policy 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 Settings\Account 策略Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies 与 Kerberos 相关的设置包括票证生存期和强制规则。Kerberos-related settings include ticket lifetime and enforcement rules. Kerberos 策略不适用于本地帐户数据库,因为 Kerberos 身份验证协议不用于对本地帐户进行身份验证。Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. 因此,只能通过默认域组策略对象(GPO)来配置 Kerberos 策略设置,这会影响域登录。Therefore, the Kerberos policy settings can be configured only by means of the default domain Group Policy Object (GPO), where it affects domain logons.

有关域控制器的 Kerberos 策略选项的信息,请参阅Kerberos 策略For information about Kerberos Policy options for the domain controller, see Kerberos Policy.
审核策略Audit Policy 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 \ 本地审核策略Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy 审核策略可让你控制和了解对对象(如文件和文件夹)的访问权限,以及管理用户和组帐户以及用户登录和注销。Auditing policy lets you control and understand access to objects, such as files and folders, and to manage user and group accounts and user logons and logoffs. 审核策略可以指定要审核的事件的类别,设置安全日志的大小和行为,并确定要监视其访问权限的对象以及要监视的访问类型。Auditing policies can specify the categories of events that you want to audit, set the size and behavior of the security log, and determine of which objects you want to monitor access and what type of access you want to monitor.

用户权限分配User Rights Assignment 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 \ 本地策略 \ 权限分配Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment 用户权限通常基于用户所属的安全组(如管理员、超级用户或用户)进行分配。User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users, or Users. 此类别中的策略设置通常用于根据访问和安全组成员身份的方法授予或拒绝访问计算机的权限。The policy settings in this category are typically used to grant or deny permission to access a computer based on the method of access and security group memberships.
安全选项Security Options 本地计算机策略 \dns 配置 \Windows 设置 \ 安全设置 \ 安全选项Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options 与身份验证相关的策略包括:Policies relevant to authentication include:

-设备- Devices
-域控制器- Domain controller
-域成员- Domain member
-交互式登录- Interactive logon
-Microsoft 网络服务器- Microsoft network server
-网络访问- Network access
-网络安全- Network security
-恢复控制台- Recovery console
-Shutdown- Shutdown

凭据委派Credentials Delegation 计算机配置 \ 管理模板 Templates\System\Credentials 委派Computer Configuration\Administrative Templates\System\Credentials Delegation 凭据的委托是一种机制,允许在其他系统上使用本地凭据,最值得注意的是域中的成员服务器和域控制器。The delegation of credentials is a mechanism that lets local credentials be used on other systems, most notably member servers and domain controllers within a domain. 这些设置适用于使用凭据安全支持提供程序(凭据 SSP)的应用程序。These settings apply to applications by using the Credential Security Support Provider (Cred SSP). 远程桌面连接是一个示例。Remote Desktop Connection is an example.
KDCKDC 计算机配置 \ 管理 Templates\System\KDCComputer Configuration\Administrative Templates\System\KDC 这些策略设置会影响密钥发行中心(KDC)(即域控制器上的服务)处理 Kerberos 身份验证请求的方式。These policy settings affect how the Key Distribution Center (KDC), which is a service on the domain controller, handles Kerberos authentication requests.
V5Kerberos 计算机配置 \ 管理 Templates\System\KerberosComputer Configuration\Administrative Templates\System\Kerberos 这些策略设置会影响如何配置 Kerberos 来处理对声明、Kerberos 保护、复合身份验证、标识代理服务器和其他配置的支持。These policy settings affect how Kerberos is configured to handle support for claims, Kerberos armoring, compound authentication, identifying proxy servers, and other configurations.
登录Logon 计算机配置\管理模板\系统\登录Computer Configuration\Administrative Templates\System\Logon 这些策略设置控制系统如何提供用户的登录体验。These policy settings control how the system presents the logon experience for users.
Net LogonNet Logon 计算机配置 \ 管理 Templates\System\Net 登录Computer Configuration\Administrative Templates\System\Net Logon 这些策略设置控制系统如何处理网络登录请求,包括域控制器定位器的行为方式。These policy settings control how the system handles network logon requests including how the Domain Controller Locator behaves.

有关域控制器定位程序如何适合复制过程的详细信息,请参阅了解站点间的复制For more information about how the Domain Controller Locator fits into replication processes, see Understanding Replication Between Sites.
指标Biometrics 计算机配置 \ 管理模板 \Windows 组件 Components\BiometricsComputer Configuration\Administrative Templates\Windows Components\Biometrics 这些策略设置通常允许或拒绝使用生物识别作为身份验证方法。These policy settings generally permit or deny the use of Biometrics as an authentication method.

有关生物识别的 Windows 实现的信息,请参阅 Windows Biometric Framework 概述。For information about the Windows implementation of biometrics, see Windows Biometric Framework Overview.
凭据用户界面Credential User Interface 计算机配置 \ 管理模板 \Windows 组件 Components\Credential 用户界面Computer Configuration\Administrative Templates\Windows Components\Credential User Interface 这些策略设置控制如何在入口点管理凭据。These policy settings control how credentials are managed at the point of entry.
密码同步Password Synchronization 计算机配置 \ 管理模板 \Windows 组件 Components\Password 同步Computer Configuration\Administrative Templates\Windows Components\Password Synchronization 这些策略设置确定系统如何管理基于 Windows 和 UNIX 的操作系统之间的密码同步。These policy settings determine how the system manages the synchronization of passwords between Windows and UNIX-based operating systems.

有关详细信息,请参阅密码同步For more information, see Password Synchronization.
智能卡Smart Card 计算机配置 \ 管理模板 \Windows 组件 Components\Smart 卡Computer Configuration\Administrative Templates\Windows Components\Smart Card 这些策略设置控制系统管理智能卡登录的方式。These policy settings control how the system manages smart card logons.

Windows 登录选项Windows Logon Options 计算机配置 \ 管理模板 \Windows 组件 \Windows 登录选项Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options 这些策略设置控制登录机会的使用时间和方式。These policy settings control when and how logon opportunities are available.
Ctrl + Alt + Del 选项Ctrl+Alt+Del Options 计算机配置 \ 管理模板 \Windows 组件 Components\Ctrl + Alt + Del 选项Computer Configuration\Administrative Templates\Windows Components\Ctrl+Alt+Del Options 这些策略设置将影响登录 UI (安全桌面)上功能的外观和可访问性,如任务管理器和计算机的键盘锁定。These policy settings affect the appearance of and accessibility to features on the logon UI (Secure Desktop), such as Task Manager and the keyboard lock of the computer.
登录Logon 计算机配置 \ 管理模板 \Windows 组件 Components\LogonComputer Configuration\Administrative Templates\Windows Components\Logon 这些策略设置确定用户是否可以在用户登录时运行哪些进程。These policy settings determine if or which processes can run when the user logs on.

请参阅See also

Windows 身份验证技术概述Windows Authentication Technical Overview