Huh? Open ADUC. Goto the Builtin container. Look in "Pre-Windows 2000 Compatible Access".
What's under the Members tab? Otherwise, you need to look at the RestrictAnonymous registry key and domain policy. http://support.microsoft.com/kb/246261/ for the registry key. Click around in "Default Domain Policy" for the policy. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Jim Dandy [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 30, 2008 1:49 PM To: NT System Admin Issues Subject: Eliminating Anonymous connections to DCs Sorry for the long post. I'd appreciate it if you could hang in there and read through this. My question is, are anonymous connections eliminated? A document I have says "After you upgrade all the servers in the domain hosting services that run as Local System and use Anonymous or null credentials when accessing a domain controller. Such as Windows NT 4.0 RAS servers, remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access built-in group. This task increases the security of your domain by preventing anonymous connections to the domain controllers." The document then suggests to do so with the command Net localgroup "Pre-Windows 2000 Compatible Access" groupname /delete I can't remember if I did this back when I upgraded from NT to Server 2003. I'm now running both the forest and domain in Server 2003 mode with all DCs running Server 2003. I logged onto my DC and executed the above command with Everyone substituted in for groupname. I got error System error 2 has occurred The system file cannot find the file specified Doing the same substituting in anonymous for groupname I got error There is no such global user or group: Anonymous I read you can test to see if anonymous access is disabled with the command Net user \\servername\ipc$ /u:"" "" I executed this command from another computer on the network and got "Logon failure: unknown user name or bad password." I also read you can test anonymous access with the command Net user \\ipc$ /u:"" "" I executed this command while logged on to the DC and got "System error 67 has occurred." I wasn't sure if this command was actually valid so I retried with a slight modification Net user \\localhost\ipc$ /u:"" "" This time I got "The command completed successfully. So the question is, is anonymous access still enabled or do I need to do something further to disable it? Thanks for your help. Curt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
