These are some powerful policy settings that allow you to configure five settings for Application, Security, Setup, and System event logs. These categories and their policy settings are located under Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.

The Log File Path policy setting, when enabled, allows you to provide a specific location where the Event Log service writes its log file. You must provide a path and file name when relocating where Windows writes the log file.

Next is the Maximum Log file size policy. When enabled, this policy allows you to specify the maximum size of the event log. It supports sizes between one megabyte and two terabytes and uses one-kilobyte increments.

Figure 1 Event Log Service Policy Settings

The next two policy settings are related. The Event Logging service uses the Retain old events and Backup log automatically when full policy settings when the event log reaches the maximum file size (defaults to 20 MB or the value specified in the Maximum Log size policy setting). With the Retain Old Events policy setting enabled, the Event Logging service stops writing new events to the event log when the log file reaches or exceeds the maximum value and you lose all new events.

With this policy setting disabled, new events overwrite old events. When you enabling the Backup log automatically when full and the Retain old events policy settings, the Event Log service closes the current event log, renames it, and then creates a new log. The Backup log automatically when full policy setting works only when you enable Retain old events policy setting.

Figure 2 Maximum Log Size Policy Setting

The last setting and one that I think is the most beneficial is the Log Access setting. Enabling this setting allows you to enter a security descriptor for the log file. The security descriptor controls who can read, write, or clear the event log. You enter the security descriptor using Security Definition Description Language (SDDL), which is document on MSDN (http://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp).

Finally, I should mention that these new policy settings have precedence over the older Windows Server 2003 and Windows XP security policy setting that manage Event Logs. Both settings can exist in the same Group Policy object and apply only to the respective operating systems for the policy setting

These new policy settings for the Event Logging service provide more flexibility and control from earlier versions.

Using Group Policy to control where event logs are written, how large they can grow, how they are preserved, and who can manage them are key to change control and security auditing. You can implement these policy settings in your existing Group Policy objects and they will not affect operating systems earlier than Windows Vista.

Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default Domain Group Policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all users in a domain.

The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:

•Is not based on the user’s account name.
•Contains at least six characters.
•Contains characters from three of the following four categories:
•Uppercase alphabet characters (A–Z)
•Lowercase alphabet characters (a–z)
•Arabic numerals (0–9)
•Nonalphanumeric characters (for example, !$#,%)
As stated above, this policy is enabled by default.

In some occasions, such as testing, lab-building, classes and so on, you might want to disable this built-in requirement.

Security Warning: Bare in mind that this setting can only be enabled/disabled at the domain level, and NOT on an OU level. Disabling the password requirement for an entire domain will lower your security configuration, and should only be done when absolutely necessary.

In order to disable this requirement you need to edit the Default Domain Policy for your domain.

Go to Administrative tools folder.
Double-click on the Default Domain Security Policy icon.
Note: If for any reason you don’t see that icon you can still edit the Default Domain Group Policy from the AD Users and Computers snap-in, or from a GPMC window (if you have GPMC installed – Download GPMC).
Navigate to Security Settings > Account Policies > Password Policy.
Right-click on the Minimum Password Length option in the right pane and select Properties.

Keep the V on the Define Setting selected! Do not remove the V from that check-box. Removing the V will cause the GPO to revert to the default setting, which is what we are trying to remove in the first place.
Enter 0 (zero) for the number of minimum characters required in a password.

Now double-click on the Passwords Must Meet Complexity Requirements option in the right pane.

Again, do not remove the V from that check-box. Instead, select Disabled.

Click OK all the way out and close the GPO window.

In order to refresh the policy type the following command in a CMD window and click ENTER:

gpupdate /force

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Computer Policies and User Policies

So when do they each apply?

Computer Policies are processed when your computer is started. Once your computer is switched on, started and the network connection is initialized, computer policy settings are applied and a history of the policies that were applied is written to %AllUsersProfile%\Ntuser.pol.

User Policies are processed when a user logs onto a computer. So when you logon using your username and password, the policy settings are applied and written to %UsersProfile%\Ntuser.pol.

Good question. Officially, Group Policy refreshes every 90 minutes for your servers and workstations, but there is a delay of up to 30 minutes that is designed to avoid overwhelming your domain controllers with a huge flood of refresh requests.

So effectively, this means that Group Policy refreshes itself every 90-120 minutes.

gpupdate

Some policies do not apply straight away, so you might need to add the /force switch on the end.

gpupdate /force

Policies should be updated from the domain, you should now reboot your machine for all policies to apply.