Update microsoft® active directory® management settings policy descriptions

Bug: 1018157 Change-Id: I25928585781ed1f89fc0048846c6cd4c7e48e889 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2456028 Commit-Queue: Chris Sharp <csharp@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Commit-Position: refs/heads/master@{#815172}

Update microsoft® active directory® management settings policy descriptions
Bug: 1018157 Change-Id: I25928585781ed1f89fc0048846c6cd4c7e48e889 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2456028 Commit-Queue: Chris Sharp <csharp@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Commit-Position: refs/heads/master@{#815172}
5f26c941 · Chris Sharp · Commit Bot · 77876d9d · 5f26c941
Commit 5f26c941 authored Oct 08, 2020 by Chris Sharp Committed by Commit Bot Oct 08, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 22 deletions

components/policy/resources/policy_templates.json components/policy/resources/policy_templates.json +24 -22

No files found.
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -8081,15 +8081,17 @@
      'id': 415,
      'caption': '''Allowed Kerberos encryption types''',
      'tags': ['system-security'],
-      'desc': '''Sets encryption types that are allowed when requesting Kerberos tickets from an <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.
+      'desc': '''Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> server.
-      If the policy is set to 'All', both the AES encryption types 'aes256-cts-hmac-sha1-96' and 'aes128-cts-hmac-sha1-96' as well as the RC4 encryption type 'rc4-hmac' are allowed. AES encryption takes preference if the server supports both types. Note that RC4 is insecure and the server should be reconfigured if possible to support AES encryption.
+      Setting the policy to:
+      * All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.
-      If the policy is set to 'Strong' or if it is unset, only the AES encryption types are allowed.
+      * Strong or leaving it unset allows only the AES types.
-      If the policy is set to 'Legacy', only the RC4 encryption type is allowed. This option is insecure and should only be needed in very specific circumstances.
+      * Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.
-      See also https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.''',
+      Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.''',
    },
    {
      'name': 'DeviceUserPolicyLoopbackProcessingMode',
@@ -8126,13 +8128,13 @@
      'id': 416,
      'caption': '''User policy loopback processing mode''',
      'tags': [],
-      'desc': '''Specifies whether and how user policy from computer GPO is processed.
+      'desc': '''Setting the policy specifies whether and how user policy from computer Group Policy Object (GPO) is processed.
-      If the policy is set to 'Default' or if it is unset, user policy is read only from user GPOs (computer GPOs are ignored).
+      * Default or leaving it unset has user policy read only from user GPOs. Computer GPOs are ignored.
-      If the policy is set to 'Merge', user policy in user GPOs is merged with user policy in computer GPOs (computer GPOs take preference).
+      * Merge will merge user policy in user GPOs with that of computer GPOs. Computer GPOs take precedence.
-      If the policy is set to 'Replace', user policy in user GPOs is replaced by user policy in computer GPOs (user GPOs are ignored).''',
+      * Replace will replace user policy in user GPOs with that of computer GPOs. User GPOs are ignored.''',
    },
    {
      'name': 'DeviceMachinePasswordChangeRate',
@@ -8149,15 +8151,13 @@
      'id': 425,
      'caption': '''Machine password change rate''',
      'tags': ['system-security'],
-      'desc': '''Specifies the rate (in days) at which a client changes their machine account password. The password is randomly generated by the client and not visible to the user.
+      'desc': '''Setting the policy specifies in days how often a client changes their machine account password. The password is randomly generated by the client and not visible to the user. Disabling this policy or setting a high number of days can negatively impact security, because it gives potential attackers more time to find and use the machine account password.
-      Just like user passwords, machine passwords should be changed regularly. Disabling this policy or setting a high number of days can have a negative impact on security since it gives potential attackers more time to find the machine account password and use it.
+      Leaving the policy unset means the machine account password is changed every 30 days.
-      If the policy is unset, the machine account password is changed every 30 days.
+      Setting the policy to 0 turns off machine account password change.
-      If the policy is set to 0, machine account password change is disabled.
+      Note: Passwords might get older than the specified number of days if the client has been offline for a longer period of time.''',
-      Note that passwords might get older than the specified number of days if the client has been offline for a longer period of time.''',
    },
    {
      'name': 'DeviceGpoCacheLifetime',
@@ -8174,11 +8174,13 @@
      'id': 508,
      'caption': '''GPO cache lifetime''',
      'tags': [],
-      'desc': '''Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache. Instead of re-downloading GPOs on every policy fetch, the system may reuse cached GPOs as long as their version does not change. This policy specifies the maximum duration for which cached GPOs may be reused before they are re-downloaded. Rebooting and logging out clears the cache.
+      'desc': '''Setting the policy specifies in hours the Group Policy Object (GPO) cache lifetime—the maximum duration GPOs can be reused before they're redownloaded. Instead of redownloading them on every policy fetch, the system reuses cached GPOs as long as their version doesn't change.
+      Setting the policy to 0 turns GPO caching off. Doing this increases server load, because GPOs are redownloaded on every policy fetch, even if they didn't change.
-      If the policy is unset, cached GPOs may be reused for up to 25 hours.
+      Leaving the policy unset means cached GPOs can be reused for up to 25 hours.
-      If the policy is set to 0, GPO caching is turned off. Note that this increases server load since GPOs are re-downloaded on every policy fetch, even if they did not change.''',
+      Note: Restarting and signing out clears the cache.''',
    },
    {
      'name': 'DeviceAuthDataCacheLifetime',
@@ -8195,13 +8197,13 @@
      'id': 509,
      'caption': '''Authentication data cache lifetime''',
      'tags': ['admin-sharing'],
-      'desc': '''Specifies the lifetime (in hours) of the authentication data cache. The cache is used to speed up sign-in. It contains general data (workgroup name etc.) about affiliated realms, i.e. realms trusted by the machine realm. No user-specific data and no data for unaffiliated realms is cached. Rebooting the device clears the cache.
+      'desc': '''Setting the policy specifies in hours the authentication data cache lifetime. The cache has data about realms trusted by the machine realm (affiliated realms). So, authentication data caching helps speed up sign-in. User-specific data and data for unaffiliated realms isn't cached.
-      If the policy is unset, cached authentication data may be reused for up to 73 hours.
+      Setting the policy to 0 turns authentication data caching off. Realm-specific data is fetched on every sign-in, so turning off authentication data caching can significantly slow down user sign-in.
-      If the policy is set to 0, authentication data caching is turned off. This can significantly slow down sign-in of affiliated users since realm-specific data has to be fetched on every sign-in.
+      Leaving the policy unset means cached authentication data can be reused for up to 73 hours.
-      Note that realm data is cached even for ephemeral users. The cache should be turned off if tracing the realm of ephemeral users should be prevented.''',
+      Note: Restarting the device clears the cache. Even ephemeral users' realm data is cached. Turn off the cache to prevent the tracing of an ephemeral user's realm.''',
    },
    {
      'name': 'CloudPrintSubmitEnabled',