LAN Manager authentication level

Toggle sidebar Toggle sidebar
Z

Ziek

Distinguished
Nov 5, 2004
51
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

if I want to set the authentication level through group policy, would I do
this on the domain controller GPO, or the default domain policy?

Also, I see lots of people editing the account lockout policies on the
default domain policy, but doesn't this really belong on the domain
controllers GPO, since the accounts really reside on the domain controller?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you want to apply lan manager authentication level setting to domain
computers then set it at the domain level. If you want to apply it to only
domain controllers then configure it in Domain Controller Security Policy.
If you have no downlevel clients in the domain such as W9X then you should
be able to safely configure send ntlmv2 responses only/refuse lm at the
domain and domain controller level. All account/password policy for domain
users including account lockout must be configured at the domain level.
Domain controllers read account/password policy at the domain level. ---
Steve


"Ziek" <ziek@nomail.net> wrote in message
news:uPDdb7BXFHA.3996@TK2MSFTNGP09.phx.gbl...
> if I want to set the authentication level through group policy, would I do
> this on the domain controller GPO, or the default domain policy?
>
> Also, I see lots of people editing the account lockout policies on the
> default domain policy, but doesn't this really belong on the domain
> controllers GPO, since the accounts really reside on the domain
> controller?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

>if I want to set the authentication level through group policy, would
>I do this on the domain controller GPO, or the default domain policy?

>Also, I see lots of people editing the account lockout policies on
the
>
>default domain policy, but doesn’t this really belong on the
>domain
>controllers GPO, since the accounts really reside on the domain
>controller?

If you are talking about the Password Policy settings when you say
"authentication level" then it must be done at the Default Domain GP
because that is the only place it will work. I never Touch the Domain
Controllers OU ever. I leave it exactly as it is because it contains a
lot of default settings that can cause lots of problems if you mess
with them.

The Accounts reside in the Domain. The Domain Controllers GP is to
control the "Domain Controller Computer" accounts, nothing else.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-LAN-Manager-authentication-level-ftopict374649.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1217344
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom