|
Posted by Steven L Umbach on February 2, 2006, 2:41 pm
Please log in for more thread options OK that explains a lot. What you can do is to use the mmc snapin for
security templates to examine the securedc.inf template and look under
security options where you will see exactly what security options were
changed and then refer to the KB article to see where incompatibilities
arise. Also you should know that for Windows 2003 you can use secedit to
create a rollback template that you must create before you apply a security
template so that you can apply the rollback template to undo changes so that
you could easily fix your problem. Right now I am looking at the
securedc.inf template and offhand I see your problem as lan manager
authentication level and do not store lan manager hash and maybe one ore
more of the anonymous access security settings that are defined. To start
with I would set lan manager authentication level on the domain controller
to be "sent lm and ntlm response" since you have W98 computers without the
DS client installed and later you could try setting it to "send ntlmv2
responses only" which should still let the server accept lm authentication.
Also for set store lm hash to disabled. I am not sure it that will do it or
if you will also need to tweak anonymous access settings but the KB article
can help with that and the link below to the Windows 2003 Server security
guide [I assume you are using Windows 2003??] should show recommendations
for the security options in question which you would want to use legacy
settings. After changing security settings run gpupdate /force on the
server. You could also view the setup security.inf security template to see
what it shows for security options and for those that were changed by
securedc.inf set it to what it shows for setup security.inf. --- Steve
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch04.mspx
--- Windows 2003 Server Security Guide
> Steven thank you very much for your help.. I`m still reading the kb
> articles...
>
> There is a way to TOTALLY RESET the default domain policy and default
> controller domain policy? I don`t think so, because after we set a value,
> if we set the policy to not defined, the first value will still make
> effect, correct?
>
> I think I applied a .inf (was securedc.inf) that didn`t let 98 computers
> to log on to domain..
>
> Tks again,
>
> Fernando
>
>
>> That is curious that you are having a problem with Windows 98 since I
>> would think Windows 98 would work with any password up to 14 characters
>> but I don't have a Windows 98 computer handy to try out such. I know that
>> if you disable storage of LM hashes you can have problems with Windows 98
>> computers if you also enforced that recently in which is done via a
>> security option for Windows 2003 domain controllers in either Local
>> Security Policy [secpol.msc] or Domain Controller Security Policy or a
>> registry entry for Windows 2000 domain controllers. You may also have
>> problems if you configure lan manager authentication level security
>> option to be too secure for domain controllers such as use ntlmv2 only
>> refuse lm or refuse lm and ntlm when using Windows 98 computers in the
>> domain. To disable password complexity you set it to disabled in Domain
>> Security Policy or whatever domain level GPO that is applying password
>> policy. The link below explains some of the problems you can have with
>> downlevel clients such as Windows 98 with certain security option
>> settings. So what I would do is to check lan manager authentication
>> level for domain controllers and make sure storage of lm hashes is not
>> disabled to see if that helps or not and check the KB article for other
>> possible incompatibilities and I really doubt it is related to password
>> complexity if the minimum password length is 7 characters and the user is
>> not trying to use a password over 14 characters. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
>> info on disabling lm hash
>> manager authentication level
>>
>>> I`m really desperate!!!
>>>
>>> I have installed a new domain, with XP and 98 workstatioins. Everythings
>>> works fine!
>>>
>>> So, I changed the password policy to enable complexity with a minimum of
>>> 7
>>> characters. Only after this I saw that 98 can`t use password complexity,
>>> he
>>> only accepts with dsclient.exe and a dword in the registry to force
>>> NTLMv2
>>> authentication (I tried this too, but with this setting, I can`t log on
>>> even
>>> with the enterprise admin (that has temporarily a simple password)).
>>>
>>> So, my problem is that I changed the default domain policy to disable
>>> password complexity but I can`t change to a simple password in any
>>> users of
>>> my domain.
>>>
>>> Is there a way to reset to "default" the default domain policy and the
>>> default controller domain policy?
>>>
>>> Someon has any ideas??
>>>
>>> Tks!
>>>
>>>
>>
>>
>
>
| 
XML Sitemap