Defaut Domain Policy

Computer Configuration (Enabled)

Windows Settings

Scripts

Startup

Name	Parameters
\\Network.local\sysvol\Network.local\scripts\TimeSrv.bat

Security Settings

Account Policies/Password Policy

Policy	Setting
Enforce password history	1 passwords remembered
Maximum password age	0 days
Minimum password age	0 days
Minimum password length	5 characters
Password must meet complexity requirements	Disabled
Store passwords using reversible encryption	Disabled

Account Policies/Account Lockout Policy

Policy	Setting
Account lockout duration	2 minutes
Account lockout threshold	10 invalid logon attempts
Reset account lockout counter after	2 minutes

Account Policies/Kerberos Policy

Policy	Setting
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	600 minutes
Maximum lifetime for user ticket	10 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

Local Policies/Security Options

Accounts

Policy	Setting
Accounts: Rename guest account	"other"

Interactive Logon

Policy	Setting
Interactive logon: Do not display last user name	Enabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)	0 logons

Network Security

Policy	Setting
Network security: Force logoff when logon hours expire	Disabled

Public Key Policies/Autoenrollment Settings

Policy

Setting

Enroll certificates automatically

Enabled

Renew expired certificates, update pending certificates, and remove revoked certificates	Disabled
Update certificates that use certificate templates	Disabled

Public Key Policies/Encrypting File System

Properties

Policy	Setting
Allow users to encrypt files using Encrypting File System (EFS)	Enabled

Certificates

Issued To	Issued By	Expiration Date	Intended Purposes
Administrator	Administrator	6/27/2005 2:37:50 PM	File Recovery

Public Key Policies/Trusted Root Certification Authorities

Properties

Policy	Setting
Allow users to select new root certification authorities (CAs) to trust	Enabled
Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only

Administrative Templates

Network/Network Connections

Policy	Setting
Prohibit use of Internet Connection Firewall on your DNS domain network	Enabled
Prohibit use of Internet Connection Sharing on your DNS domain network	Enabled

Network/Network Connections/Windows Firewall/Domain Profile

Policy	Setting
Windows Firewall: Protect all network connections	Disabled

Network/Network Connections/Windows Firewall/Standard Profile

Policy	Setting
Windows Firewall: Protect all network connections	Disabled

Network/Offline Files

Policy

Setting

At logoff, delete local copy of user's offline files

Enabled

Causes the local copy of any offline file accessed by the user
to be deleted when the user logs off of the computer.

Delete only the temporary offline files.	Disabled

Policy

Setting

Default cache size

Enabled

Value entered is [ percent disk used * 10,000 ].
For example, to indicate 12.53%, enter 1253.

Default cache size:	100

Policy

Setting

Files not cached

Enabled

Files may be excluded from caching on auto-cache shared folders based
on their extension. Enter a list of extensions to be excluded. Extensions
must be preceded by an asterisk and period. "e.g. .dbf;.ndx;*.lnk

Extensions:	.exe,.dot,.htm,.js,.asp,.dll,.cab,.bin,.url,.html,.lnk,.dat,.jpg,.txt

Policy

Setting

Synchronize all offline files when logging on

Disabled

System/Logon

Policy	Setting
Always wait for the network at computer startup and logon	Enabled

System/User Profiles

Policy	Setting
Delete cached copies of roaming profiles	Enabled
Wait for remote user profile	Enabled

Windows Components/Windows Messenger

Policy	Setting
Do not allow Windows Messenger to be run	Enabled
Do not automatically start Windows Messenger initially	Enabled

User Configuration (Enabled)

Windows Settings

Remote Installation Services

Client Installation Wizard options

Policy	Setting
Custom Setup	Disabled
Restart Setup	Disabled
Tools	Disabled

Scripts

Logon

Name	Parameters
\\Network.local\sysvol\Network.local\scripts\logon.bat
\\Network.local\sysvol\Network.local\scripts\FavRegistry.vbs

Internet Explorer Maintenance

Connection/Automatic Browser Configuration

Policy	Setting
Automatically detect configuration settings	Disabled
Automatic Browser Configuration	Not configured

Security/Security Zones and Content Ratings

Security Zones and Privacy

These settings will not apply to users that log on to computers that have the Internet Explorer Enhanced Security Configuration (ESC) enabled. To create settings for users on computers that have ESC enabled, create a new GPO and edit that GPO on a computer where ESC is enabled.

Internet (Security Level: Custom)

.NET Framework-reliant components

Run components not signed with Authenticode	Enable
Run components signed with Authenticode	Enable

ActiveX controls and plug-ins

Download signed ActiveX controls	Prompt
Download unsigned ActiveX controls	Disable
Initialize and script ActiveX controls not marked as safe	Disable
Run ActiveX controls and plug-ins	Enable
Script ActiveX controls marked safe for scripting	Enable

Downloads

File download	Enable
Font download	Enable

Microsoft VM

Java permissions

High safety

Miscellaneous

Access data sources across domains	Enable
Allow META REFRESH	Enable
Display mixed content	Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists	Disable
Drag and drop or copy and paste files	Enable
Installation of desktop items	Prompt
Launching applications and unsafe files	Prompt
Launching programs and files in an IFRAME	Prompt
Navigate sub-frames across different domains	Enable
Software channel permissions	Medium safety
Submit nonencrypted form data	Prompt
Userdata persistence	Enable

Scripting

Active scripting	Enable
Allow paste operations via script	Enable
Scripting of Java applets	Enable

User Authentication

Logon

Automatic logon only in Intranet zone

Local intranet (Security Level: Low)

.NET Framework-reliant components

Run components not signed with Authenticode	Enable
Run components signed with Authenticode	Enable

ActiveX controls and plug-ins

Download signed ActiveX controls	Enable
Download unsigned ActiveX controls	Prompt
Initialize and script ActiveX controls not marked as safe	Prompt
Run ActiveX controls and plug-ins	Enable
Script ActiveX controls marked safe for scripting	Enable

Downloads

File download	Enable
Font download	Enable

Microsoft VM

Java permissions

Low safety

Miscellaneous

Access data sources across domains	Enable
Allow META REFRESH	Enable
Display mixed content	Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists	Enable
Drag and drop or copy and paste files	Enable
Installation of desktop items	Enable
Launching applications and unsafe files	Enable
Launching programs and files in an IFRAME	Enable
Navigate sub-frames across different domains	Enable
Software channel permissions	Low safety
Submit nonencrypted form data	Enable
Userdata persistence	Enable

Scripting

Active scripting	Enable
Allow paste operations via script	Enable
Scripting of Java applets	Enable

User Authentication

Logon

Automatic logon with current username and password

Sites

Require server verification (https:) for all sites in this zone	Disabled
Include all local (intranet) sites not listed in other zones	Enabled
Include all sites that bypass the proxy server	Enabled
Include all network paths (UNCs)	Enabled

Sites in this zone
*.Network.local
http://172.16.2.15/

Trusted sites (Security Level: Low)

.NET Framework-reliant components

Run components not signed with Authenticode	Enable
Run components signed with Authenticode	Enable

ActiveX controls and plug-ins

Download signed ActiveX controls	Enable
Download unsigned ActiveX controls	Prompt
Initialize and script ActiveX controls not marked as safe	Prompt
Run ActiveX controls and plug-ins	Enable
Script ActiveX controls marked safe for scripting	Enable

Downloads

File download	Enable
Font download	Enable

Microsoft VM

Java permissions

Low safety

Miscellaneous

Access data sources across domains	Enable
Allow META REFRESH	Enable
Display mixed content	Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists	Enable
Drag and drop or copy and paste files	Enable
Installation of desktop items	Enable
Launching applications and unsafe files	Enable
Launching programs and files in an IFRAME	Enable
Navigate sub-frames across different domains	Enable
Software channel permissions	Low safety
Submit nonencrypted form data	Enable
Userdata persistence	Enable

Scripting

Active scripting	Enable
Allow paste operations via script	Enable
Scripting of Java applets	Enable

User Authentication

Logon

Automatic logon with current username and password

Sites

Require server verification (https:) for all sites in this zone

Disabled

Sites in this zone
http://webmail.sd61.bc.ca/
https://lyra.sd61.bc.ca/

Restricted sites (Security Level: High)

.NET Framework-reliant components

Run components not signed with Authenticode	Disable
Run components signed with Authenticode	Disable

ActiveX controls and plug-ins

Download signed ActiveX controls	Disable
Download unsigned ActiveX controls	Disable
Initialize and script ActiveX controls not marked as safe	Disable
Run ActiveX controls and plug-ins	Disable
Script ActiveX controls marked safe for scripting	Disable

Downloads

File download	Disable
Font download	Prompt

Microsoft VM

Java permissions

Disable Java

Miscellaneous

Access data sources across domains	Disable
Allow META REFRESH	Disable
Display mixed content	Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists	Disable
Drag and drop or copy and paste files	Prompt
Installation of desktop items	Disable
Launching applications and unsafe files	Prompt
Launching programs and files in an IFRAME	Disable
Navigate sub-frames across different domains	Disable
Software channel permissions	High safety
Submit nonencrypted form data	Prompt
Userdata persistence	Disable

Scripting

Active scripting	Disable
Allow paste operations via script	Disable
Scripting of Java applets	Disable

User Authentication

Logon

Prompt for user name and password

Sites

Sites in this zone
None

Privacy

Privacy Level

Medium

Web Sites

Always allow	None
Always block	None

Administrative Templates

Microsoft Office 2003/Shared paths

Policy

Setting

Workgroup templates path

Enabled

Workgroup templates path

\\Server\Office\FILES\NewTemplates

Microsoft Office Access 2007/Miscellaneous

Policy

Setting

Default file format

Enabled

Access 2002-2003

Microsoft Office Excel 2003/Block file formats/Open

Policy	Setting
Block opening binary file types	Disabled
Block opening Database and Datasource files	Disabled
Block opening DBF 2 (dBASE II) (*.dbf) files	Disabled
Block opening DIF and SYLK file types	Disabled
Block opening Html and Xmlss file types	Disabled
Block opening Lotus and Quattro files	Disabled
Block opening Microsoft Excel 4.0 Charts (*.xlc) files	Disabled
Block opening text file types	Disabled
Block opening through converters	Disabled
Block opening Xll file types	Disabled
Block opening Xml file types	Disabled

Microsoft Office Excel 2003/Block file formats/Save

Policy	Setting
Block saving binary file types	Disabled
Block saving Database and Datasource files	Disabled
Block saving DBF 2 (dBASE II) (*.dbf) files	Disabled
Block saving DIF and SYLK file types	Disabled
Block saving Html and Xmlss file types	Disabled
Block saving Lotus and Quattro files	Disabled
Block saving Microsoft Excel 4.0 Charts (*.xlc) files	Disabled
Block saving text file types	Disabled
Block saving through converters	Disabled
Block saving Xml file types	Disabled

Microsoft Office Excel 2007/Block file formats/Open

Policy	Setting
Block opening of Binary 12 file types	Disabled
Block opening of Binary file types	Disabled
Block opening of DIF and SYLK file types	Disabled
Block opening of Html and Xmlss files types	Disabled
Block opening of Open XML file types	Disabled
Block opening of pre-release versions of file formats new to Excel 2007	Disabled
Block opening of Text file types	Disabled
Block opening of Xll file type	Disabled
Block opening of Xml file types	Disabled

Microsoft Office Excel 2007/Block file formats/Save

Policy	Setting
Block saving DIF and SYLK file types	Disabled
Block saving of Binary file types	Disabled
Block saving of Binary12 file types	Disabled
Block saving of Html and Xmlss file types	Disabled
Block saving of Open Xml file types	Disabled
Block saving of Text file types	Disabled
Block saving Xml file types	Disabled

Microsoft Office Excel 2007/Excel Options/Save

Policy

Setting

Save Excel files as

Enabled

Save Excel files as

Excel 97-2003 Workbook (*.xls)

Microsoft Office PowerPoint 2003/Block file formats/Open

Policy	Setting
Block open Html file types	Disabled
Block opening binary file types	Disabled
Block opening files before PowerPoint 97	Disabled
Block opening Outlines	Disabled
Block opening through converters	Disabled

Microsoft Office PowerPoint 2003/Block file formats/Save

Policy	Setting
Block saving binary file types	Disabled
Block saving files before PowerPoint 97	Disabled
Block saving graphic filters	Disabled
Block saving Html file types	Disabled
Block saving Outlines	Disabled
Block saving through converters	Disabled

Microsoft Office PowerPoint 2007/PowerPoint Options/Save

Policy

Setting

Save files in this format

Enabled

Save files in this format

PowerPoint 97-2003 Presentation (*.ppt)

Microsoft Office Publisher 2007/Tools | Options.../General

Policy	Setting
Show Publication Types when starting Publisher	Disabled

Microsoft Office Word 2003/Block file formats/Open

Policy

Setting

Block opening binary file types

Disabled

Block opening files before version

Enabled

	Word 4.x for Macintosh

This policy will prevent opening Word documents with versions below the default version value specified in the dropdown list.
As an example, the default value of this key is set to 'Word 6.0 for Windows'. So under this policy all Word documents starting
from Word 1.x for Windows up to Word 2.x for Windows Taiwan are blocked from opening. You have the option to increase or
decrease the default version. The versions specified in the dropdown list are in ascending order.

Policy

Setting

Block opening Html file types

Disabled

Block opening internal files

Disabled

Block opening Rtf file types

Disabled

Block opening text file types

Disabled

Block opening through converters

Disabled

Block opening WLL files

Disabled

Block opening Word 2003 Xml file types

Disabled

Microsoft Office Word 2003/Block file formats/Save

Policy	Setting
Block saving binary file types	Disabled
Block saving Html file types	Disabled
Block saving Rtf file types	Disabled
Block saving text file types	Disabled
Block saving through converters	Disabled
Block saving Word 2003 Xml file types	Disabled

Microsoft Office Word 2007/Block file formats/Open

Policy	Setting
Block open Converters	Disabled
Block opening of Binary file types	Disabled
Block opening of files before version	Disabled
Block opening of HTML file types	Disabled
Block opening of Internal file types	Disabled
Block opening of Open XML file types	Disabled
Block opening of pre-release versions of file formats new to Word 2007	Disabled
Block opening of RTF file types	Disabled
Block opening of Text file types	Disabled
Block opening of Word 2003 XML file types	Disabled

Microsoft Office Word 2007/Block file formats/Save

Policy	Setting
Block saving of Binary file types	Disabled
Block saving of Converters	Disabled
Block saving of HTML file types	Disabled
Block saving of Open XML file types	Disabled
Block saving of RTF file types	Disabled
Block saving of Text file types	Disabled
Block saving of Word 2003 XML file types	Disabled

Microsoft Office Word 2007/Word Options/Save

Policy

Setting

Save files in this format

Enabled

Save files in this format

Word 97 - 2003 Document (*.doc)

Network/Offline Files

Policy	Setting
Do not automatically make redirected folders available offline	Enabled
Synchronize all offline files before logging off	Enabled
Synchronize all offline files when logging on	Disabled

System

Policy	Setting
Don't display the Getting Started welcome screen at logon	Enabled

Windows Components/Windows Messenger

Policy	Setting
Do not allow Windows Messenger to be run	Enabled
Do not automatically start Windows Messenger initially	Enabled

Extra Registry Settings

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

Setting	State
Software\Policies\Microsoft\Office\9.0\Common\General\SharedTemplates	\\Server\Office\FILES\NewTemplates