Windows Server 2008 Group Policy settings reference
February 11, 2008
Now that Windows Server 2008 has been released to manufacture (RTM), MS have published the usual spreadsheet reference containing all the settings which are available through Group Policy for managing Server 2008, Vista and all prior versions.
Download the Group Policy Settings Reference for Server 2008 in Excel 2007 (.xlsx) or older version (.xls) format.
Interestingly, this also includes 9 settings which are only available for Windows Vista service pack 1 (which also RTM’d last week). All of these are to do with controlling security settings for terminal services (RDP) sessions, including a setting I will find particularly useful to control whether a session can be established when the server cannot be authenticated.
This policy setting allows you to specify whether the client will establish a connection to the terminal server when the client cannot authenticate the terminal server. If you enable this policy setting, you must specify one of the following settings:
Always connect, even if authentication fails: The client connects to the terminal server even if the client cannot authenticate the terminal server.
Warn me if authentication fails: The client attempts to authenticate the terminal server. If the terminal server can be authenticated, the client establishes a connection to the terminal server. If the terminal server cannot be authenticated, the user is prompted to choose whether to connect to the terminal server without authenticating the terminal server.
Do not connect if authentication fails: The client establishes a connection to the terminal server only if the terminal server can be authenticated.
If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the terminal server when the client cannot authenticate the terminal server.
This latest reference describes in detail 2,746 group policy settings, including the full explain text, which ones need a reboot, and to which operating systems they can be applied. This is up from the 2,494 which were available when Vista released to manufacture.
There is also one additional security setting for Vista SP1 and Server 2008 which will “Allow UIAccess applications to prompt for elevation without using the secure desktop”. This is intended for use when (for example) an administrator is providing Remote Assistance and may need to be able to provide credentials for a UAC prompt through their interactive desktop, whereas normally this prompt only appears on the secure desktop and is unavailable to anyone except someone at the keyboard in front of the machine. There are other settings relating to this which help to define which applications can be considered to have UIAccess which were already available in prior versions.