Windows 驗證中使用群組原則設定Group Policy Settings Used in Windows Authentication

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這適用於 IT 專業人員的參考主題描述使用和驗證程序群組原則設定的影響。This reference topic for the IT professional describes the use and impact of Group Policy settings in the authentication process.

您可以管理 Windows 作業系統中的驗證使用者、 電腦及服務帳號加入群組,然後將驗證原則套用到群組。You can manage authentication in Windows operating systems by adding user, computer, and service accounts to groups, and then by applying authentication policies to those groups. 這些原則定義本機安全性原則和系統管理範本,也就是群組原則設定。These policies are defined as local security policies and as administrative templates, also known as Group Policy settings. 這兩個組可以設定,並散發您的組織使用群組原則。Both sets can be configured and distributed throughout your organization by using Group Policy.

注意

在 Windows Server 2012 R2 推出的功能可讓您設定驗證原則的目標服務或帳號保護的應用程式通常稱為 [驗證筒倉,使用。Features introduced in Windows Server 2012 R2 , let you configure authentication policies for targeted services or applications, commonly called authentication silos, by using protected accounts. 為執行此動作 Active Directory 中相關資訊,請查看設定保護帳號如何For information about how to do this in Active Directory, see How to Configure Protected Accounts.

例如,您可以套用下列原則給群組,根據其組織中的功能:For example, you can apply the following policies to groups, based on their function in the organization:

  • 在本機或網域登入Log on locally or to a domain

  • 在網路上登入Log on over a network

  • 重設帳號Reset accounts

  • 建立帳號Create accounts

下表列出相關驗證原則群組,並提供連結到文件可以協助您設定的原則。The following table lists policy groups relevant to authentication and provides links to documentation that can help you configure those policies.

群組原則Policy group 位置Location 描述Description
密碼原則Password Policy 本機電腦電腦原則 \ \windows 安全性設定帳戶原則Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies 密碼原則影響的特性和密碼的行為。Password policies affect the characteristics and behavior of passwords. 網域帳號或本機帳號所使用的密碼的原則。Password policies are used for domain accounts or local user accounts. 它們判斷設定密碼,例如執法和期間。They determine settings for passwords, such as enforcement and lifetime.

適用於特定的設定有關的資訊,請查看密碼原則For information about specific settings, see Password Policy.
Account 鎖定原則Account Lockout Policy 本機電腦電腦原則 \ \windows 安全性設定帳戶原則Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies Account 鎖定原則選項來停用設定的嘗試登入失敗的次數後帳號。Account lockout policy options disable accounts after a set number of failed logon attempts. 使用這些選項,可協助您偵測及封鎖破壞密碼。Using these options can help you detect and block attempts to break passwords.

適用於 account 鎖定原則選項的相關資訊,請查看Account 鎖定原則For information about account lockout policy options, see Account Lockout Policy.
Kerberos 原則Kerberos Policy 本機電腦電腦原則 \ \windows 安全性設定帳戶原則Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies Kerberos 相關設定包括票證期間與執法規則。Kerberos-related settings include ticket lifetime and enforcement rules. Kerberos 原則不適用於本機 account 資料庫,因為 Kerberos 驗證通訊協定不用來驗證本機帳號。Kerberos policy does not apply to local account databases because the Kerberos authentication protocol is not used to authenticate local accounts. 因此,您可以設定 Kerberos 原則設定只能使用群組原則物件 (GPO),它會影響網域登入預設的網域。Therefore, the Kerberos policy settings can be configured only by means of the default domain Group Policy Object (GPO), where it affects domain logons.

為網域控制站 Kerberos 原則選項的相關資訊,請查看Kerberos 原則For information about Kerberos Policy options for the domain controller, see Kerberos Policy.
稽核原則Audit Policy 本機電腦電腦原則 \ \windows 安全性設定本機稽核原則Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy 稽核原則可讓您控制,並了解存取物件,例如的檔案和資料夾,和管理使用者和群組帳號使用者登入及登出。Auditing policy lets you control and understand access to objects, such as files and folders, and to manage user and group accounts and user logons and logoffs. 稽核原則可以指定類事件您要稽核、 的大小和行為安全性登入設定,並判斷您要的物件的監視存取,而您想要監視類型的存取權限。Auditing policies can specify the categories of events that you want to audit, set the size and behavior of the security log, and determine of which objects you want to monitor access and what type of access you want to monitor.

使用者權限指派User Rights Assignment 本機電腦電腦原則 \ \windows 安全性設定本機原則權限指派Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment 根據安全性所屬的群組的使用者,例如系統管理員、 進階的使用者或使用者通常指派使用者權利。User rights are typically assigned on the basis of the security groups to which a user belongs, such as Administrators, Power Users, or Users. 在這個分類的原則設定通常用於授與或拒絕根據存取和安全性群組成員資格的方法是電腦的存取權限。The policy settings in this category are typically used to grant or deny permission to access a computer based on the method of access and security group memberships.
安全性選項Security Options 本機電腦電腦原則 \ \windows 安全性設定本機原則安全性選項Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options 相關驗證原則包括:Policies relevant to authentication include:

-裝置- Devices
網域控制站- Domain controller
網域成員- Domain member
互動式登入- Interactive logon
Microsoft 網路伺服器- Microsoft network server
網路存取權- Network access
網路安全性- Network security
修復主機- Recovery console
關機- Shutdown

認證委派Credentials Delegation 電腦設定 Templates\System\Credentials 委派Computer Configuration\Administrative Templates\System\Credentials Delegation 認證委派是機制,可讓本機認證尤其是最成員伺服器以及網域中的網域控制站其他系統上使用。The delegation of credentials is a mechanism that lets local credentials be used on other systems, most notably member servers and domain controllers within a domain. 這些設定適用於應用程式使用 Credential 安全性支援提供者 (Cred SSP)。These settings apply to applications by using the Credential Security Support Provider (Cred SSP). 遠端桌面連接是一個範例。Remote Desktop Connection is an example.
\ [KDCKDC 電腦設定 Templates\System\KDCComputer Configuration\Administrative Templates\System\KDC 這些原則設定影響金鑰 Distribution 中心 (KDC),其為網域控制站的服務,會如何處理 Kerberos 驗證要求。These policy settings affect how the Key Distribution Center (KDC), which is a service on the domain controller, handles Kerberos authentication requests.
KerberosKerberos 電腦設定 Templates\System\KerberosComputer Configuration\Administrative Templates\System\Kerberos 這些原則設定影響 Kerberos 處理支援宣告、 Kerberos 保護 \、 複合驗證、 辨識 proxy 伺服器,以及其他設定的設定方式。These policy settings affect how Kerberos is configured to handle support for claims, Kerberos armoring, compound authentication, identifying proxy servers, and other configurations.
登入Logon 電腦設定登入Computer Configuration\Administrative Templates\System\Logon 這些原則設定來控制為何系統顯示登入的使用者體驗。These policy settings control how the system presents the logon experience for users.
網路登入Net Logon 電腦設定 Templates\System\Net 登入Computer Configuration\Administrative Templates\System\Net Logon 這些原則設定來控制系統會如何處理網路登入要求包括網域控制站定位器的運作方式。These policy settings control how the system handles network logon requests including how the Domain Controller Locator behaves.

如需有關如何網域控制站定位器納入複寫處理程序,請查看之間網站來了解複製For more information about how the Domain Controller Locator fits into replication processes, see Understanding Replication Between Sites.
生物Biometrics 電腦設定 \ 系統管理 Components\BiometricsComputer Configuration\Administrative Templates\Windows Components\Biometrics 這些原則設定通常允許或拒絕生物使用的驗證方法。These policy settings generally permit or deny the use of Biometrics as an authentication method.

適用於 Windows 的生物實作的相關資訊,查看 Windows 生物特徵辨識 Framework 概觀。For information about the Windows implementation of biometrics, see Windows Biometric Framework Overview.
Credential 使用者介面Credential User Interface 電腦設定 \ 系統管理 Components\Credential 使用者介面Computer Configuration\Administrative Templates\Windows Components\Credential User Interface 這些原則設定來控制認證如何管理在項目。These policy settings control how credentials are managed at the point of entry.
密碼同步Password Synchronization 電腦設定 \ 系統管理 Components\Password 同步處理Computer Configuration\Administrative Templates\Windows Components\Password Synchronization 這些原則設定判斷系統管理的密碼,Windows 與 unix 作業系統之間同步處理的方式。These policy settings determine how the system manages the synchronization of passwords between Windows and UNIX-based operating systems.

如需詳細資訊,請查看密碼同步For more information, see Password Synchronization.
智慧卡Smart Card 電腦設定 \ 系統管理 Components\Smart 卡Computer Configuration\Administrative Templates\Windows Components\Smart Card 這些原則設定來控制系統管理智慧卡登入方式。These policy settings control how the system manages smart card logons.

Windows 登入選項Windows Logon Options 電腦設定 \ 系統管理替登入選項Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options 這些原則設定來控制時,如何登入機會可供使用。These policy settings control when and how logon opportunities are available.
Ctrl + Alt + Del 選項Ctrl+Alt+Del Options 電腦設定 \ 系統管理 Components\Ctrl + Alt + Del 選項Computer Configuration\Administrative Templates\Windows Components\Ctrl+Alt+Del Options 這些原則設定影響的外觀及功能 UI (安全桌面版) 登入,例如工作管理員和鍵盤鎖定電腦的協助工具功能。These policy settings affect the appearance of and accessibility to features on the logon UI (Secure Desktop), such as Task Manager and the keyboard lock of the computer.
登入Logon 電腦設定 \ 系統管理 Components\LogonComputer Configuration\Administrative Templates\Windows Components\Logon 這些原則設定判斷或使用者登入時可以執行哪些處理程序。These policy settings determine if or which processes can run when the user logs on.

也了See also

Windows 驗證技術概觀Windows Authentication Technical Overview