On Thu, Apr 11, 2002 at 12:47:08PM -0500, Esh, Andrew wrote: > Here it is: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q143474 > > It's a key in the Registry called: > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous > > If it's not there (the default), anonymous logins are allowed.
Here's my collection of links on the subject: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP http://www1.securityfocus.com/frames/?focus=microsoft&content=/focus/microsoft/nt/restrict.html You can also use rpcclient to test whether it is turned on for a given machine. Run rpcclient pdcname -U% -c querydispinfo. If you get an error (hmm - haven't done it in a while so I can't remember the exact name of it) then you probably have restrict anonymous set for that machine. You can then run rpcclient with -Uusername%password and it should work when the anonymous connection did not. Hmm - maybe I should put a level 0 debug in the winbindd log file when that particular error is encountered? Tim.
