Policies and properties can be edited via the Microsoft Management Console (MMC). Some overlap exists between the settings of the MMC and the settings of the registry. The MMC is extensible. general security controls audit user rights password policies accounts lockout digital certificate management Kerberos public-key policies IPSec policies both local and Active-X user policies device management etc. etc. etc. The MMC is a framework. Using the MMC requires snap-ins. File > Add/Remove Snap-ins ActiveX Control manage domain users Certificates manage digital certificates for users, computers, and/or services Computer Management manage local/remote computers includes elements of other snap-ins (event logs, shared folders local users & groups, performance logs Local Users & Groups create/modify local accounts disable local accounts set password expiration parameters create/modify/delete local groups assign local user(s) to groups Device Manager troubleshoot local hardware install/update device drivers view/configure various hardware parameters Disk Defragmenter analyze/defragment secondary storage volumes (a utility) Disk Management view/configure partitions format drives and assign drive letters Event Viewer view application, security and/or system logs Group Policy apply policy settings to computers, users and/or groups IP Security Policy Management manage various policies associated with IP (e.g. authenticated protocols) Local Users and Groups create/modify/delete local users and/or groups create/modify user/group profiles Performance Monitor view/manage performance logs Resultant Set of Policy view policies set by selected other snap-ins Security Templates create/modify security templates that can be applied to users Services edit services (terminal services, telnet, smart card, RPC, net login, ICF) A policy is a centralized collection of operational/security controls. Policy application is accomplished via group policy objects (GPO). GPOs can be applied to local, site, domain, organizational unit The last applicable GPO that is applied takes precedent. GPOs are inherited by default. GPO settings include no override, enable, disable, allow/deny. Limitation: user that is a member of more than 70 to 80 groups. EXAMPLE POLICIES password age, complexity, size account lockout duration auditing of logon, directory access, processes, policy changes user/group privileges IPSec