User Account Policies in Windows 7

Before you start

Objectives: Learn where to find policies related to user accounts, user passwords, account lockout, and user rights.

Prerequisites: you have to know what is a user account, and what is Group Policy Editor.

Key terms: Policy Editor, user rights, account lockout, Windows 7, policies, settings, users


 Local Group Policy Editor

We can manage user rights and accounts policies using local policy editor. To open Local Group Policy Editor in Windows 7, we can enter “gpedit.msc” in search and click on the gpedit option in search results. In Policy Editor we can then go to Computer Configuration > Windows Settings > Security Settings . Here, the first thing we will check is User Rights Assignment under Local Policies.

 1 Policy Editor

Policy Editor

User Rights Assignment

In this section we will first see a predefined policies that are set on our machine. For example, we can see who (which groups of users) can access this computer from the network, who can log on locally, who can log on trough Remote Desktop, who can back up files, etc. For example, in our case we see that users in groups “Everyone”, “Administrators”, “Users”, and “Backup Operators” can access our computer from the network.

 2 Network Access

Network Access Policy

Of course, we can change those settings to suit our needs. For example, if we select “Allow log on trough Remote Desktop Services” policy, we we add specific user or group of users to the list, or remove them.

 3 Remote Desktop Users

Remote Desktop Users

Account Policies

Under Security Settings let’s check Account Policies. Under Password Policy we can change things such as maximum and minimum password age, minimum password length and complexity requirements, etc.

 4 Password Policies

Password Policy

In our case these settings are not configured, but we can change that to suit our needs. For example, it is a good idea to change the minimum length of passwords from 0, to prevent blank passwords.

 5 Password Length

Minimum Password Length

If we set the “Minimum password age” option to 5, users who change password won’t be able to change it again for 5 days. Minimum and Maximum password age options are only applied to users which don’t have “Password never expires” option set.  For example, user Kim Verson has “Password never expires” option checked, so minimum and maximum password age is not applied to Kim (we have used Local Users and Groups in Computer Management to check this).

 6 Password Never Expires

Password Never Expires option

If we enable Password history policy, users will have to use unique passwords every time they change it. Maximum password age has to be configured for password history to take effect. Maximum password age enforces users to change passwords after specified length of time. Password complexity policy prevents using simple passwords which are easy to crack. If we set that option, users will have to use special characters in their passwords, with minimum of 6 characters, and won’t be able to use dictionary words or any part of user login. If we set the “Store passwords using reversible encryption” should not be set, since passwords will essentially be readable as plaint text.

The next thing we can check is Account Lockout policy.

7 Account Lockout

Account Lockout

Keep in mind that these account lockout policy applies to all users on local computer, including the Administrator account. If we only have one administrative account on the machine and that account gets locked out, we won’t have any way to log in to the machine with the user which has administrative rights any more. This is the case on local machines, so we should be careful when setting account lockout policy on local machines. The value of 0 in “Account lockout threshold” means that accounts won’t be locked out. If we specify some other number here, the system will count invalid log on attempts and then lockout the user after the specified threshold. We can also specify the duration of the lockout and how much time the counter of invalid log on attempts is remembered.