What version is your 2K DC up to? Is it SP4? That aside, I would expect a setting of 1 to prevent enumeration per http://support.microsoft.com/kb/246261
Upgrading would not be a bad idea if that's possible. I'm just wondering is that all the settings needed to prevent the anonymous enumeration of accounts (not necessarily SAM but maybe some other way to get them that is being used?) because that setting of 1 should prevent the enumeration based on the description; else it's a bug to be fixed right? A lot more examples of situations that use this key and what it could break (although you already know about them I'm sure). http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 I don't expect GPO's to be that smart althoug it would be more intuitive if they were. You could separate the GPO or set that setting manually for both in the meantime to get the results you want. <<<workaround>>> Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, March 01, 2005 10:24 AM To: [email protected] Subject: [ActiveDir] Group Policy weirdness (or maybe 2K/2K3 interop weirdness) Hello folks, this is driving me batty. Somebody tell me if I'm doing something wrong, or if this is a case of some sort of GPO/interoperability weirdness: Current Configuration: Single forest, single domain 2 Windows Server 2003 DCs 1 Windows 2000 Advanced server DC Relevant Group Policy settings: Allow anonymous SID/Name translation, configured as "Disabled" Do not allow anonymous enumeration of SAM accounts, configured as "Enabled" Do not allow anonymous enumeration of SAM accounts and shares, configured as "Enabled" Let Everyone permissions apply to anonymous users, configured as "Disabled" The above GPO settings create the following registry entries on both the 2K and the 2K3 domain controllers: HKLM\CurrentControlSet\Control\LSA\ restrictanonymous - REG_DWORD - Value: 1 restrictanonymousSAM - REG_DWORD - Value: 1 Now, I know that there was a change between 2K and 2K3, where the recommended setting for 2000 was meant to be: HKLM\CurrentControlSet\Control\LSA\restrictanonymous - REG_DWORD - Value: 2 ...and setting that key to "1" in 2K was essentially useless. But because the 2K server is receiving restrictanonymous - Value: 1, (I assume from the GPO), anonymous users are able to enumerate the SAM on my 2K DC, which is leaving me open to Dictionary attacks/DoS attacks from account lockouts. <wishful thinking>Shouldn't Group Policy be smart enough to populate the registry of each DC with the proper entries for the relevant OS?</wishful thinking> Or do I need to either find a workaround or kill off my 2K DC? (Or am I just doing something stupid, which is always a possibility? :-)) Thanks all, Laura List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
