Restrict Anonymous

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Recently as a security measure we've implemented the registry change that
successfully restricts anonymous.
Running W2K SP4.

ex.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
with a setting of 2.

One of the side effects is that when a user's password expires they receive
a statement that they "do not have permissions to change their password". If
by chance they are prompted that the password will expire in XX days they
are successful in changing their passwords after they log on and are
validated.

I don't want to circumvent the security this feature adds but I do want to
stop the calls from end-users we are receiving due their inability to change
their password. I tried letting the everyone group have the permission on
user objects to change password in a TestOU and this still does not work.

Any help or information would be welcome and appreciated. Thanks for reading
the post.

Thanks,

Scott R
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

As you mentioned, that is one of the documented affects of implementing setting 2. I
am not aware of any work around and you will have to make the decision of what is
more important - the "2" setting or users being able to change their passwords before
logging on. If you set it to "1" in the Domain Controller Security Policy, users
should be able to change their passwords before logging on again. If you have a
properly configured firewall , have implemented a complex password policy, and an
account lockout policy with a threshold of no less than ten lockout attempts that
would be not a high risk change in my opinion. --- Steve


"Scott R" <no@emailplease> wrote in message
news:%23VOyBoVeEHA.3348@TK2MSFTNGP09.phx.gbl...
> Hello,
>
> Recently as a security measure we've implemented the registry change that
> successfully restricts anonymous.
> Running W2K SP4.
>
> ex.
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
> with a setting of 2.
>
> One of the side effects is that when a user's password expires they receive
> a statement that they "do not have permissions to change their password". If
> by chance they are prompted that the password will expire in XX days they
> are successful in changing their passwords after they log on and are
> validated.
>
> I don't want to circumvent the security this feature adds but I do want to
> stop the calls from end-users we are receiving due their inability to change
> their password. I tried letting the everyone group have the permission on
> user objects to change password in a TestOU and this still does not work.
>
> Any help or information would be welcome and appreciated. Thanks for reading
> the post.
>
> Thanks,
>
> Scott R
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Steven,

Thank you for taking the time to read my post and also your suggestions.

Scott R

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:dLRPc.239945$Oq2.103963@attbi_s52...
> As you mentioned, that is one of the documented affects of implementing
setting 2. I
> am not aware of any work around and you will have to make the decision of
what is
> more important - the "2" setting or users being able to change their
passwords before
> logging on. If you set it to "1" in the Domain Controller Security Policy,
users
> should be able to change their passwords before logging on again. If you
have a
> properly configured firewall , have implemented a complex password policy,
and an
> account lockout policy with a threshold of no less than ten lockout
attempts that
> would be not a high risk change in my opinion. --- Steve
>
>
> "Scott R" <no@emailplease> wrote in message
> news:%23VOyBoVeEHA.3348@TK2MSFTNGP09.phx.gbl...
> > Hello,
> >
> > Recently as a security measure we've implemented the registry change
that
> > successfully restricts anonymous.
> > Running W2K SP4.
> >
> > ex.
> >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
> > with a setting of 2.
> >
> > One of the side effects is that when a user's password expires they
receive
> > a statement that they "do not have permissions to change their
password". If
> > by chance they are prompted that the password will expire in XX days
they
> > are successful in changing their passwords after they log on and are
> > validated.
> >
> > I don't want to circumvent the security this feature adds but I do want
to
> > stop the calls from end-users we are receiving due their inability to
change
> > their password. I tried letting the everyone group have the permission
on
> > user objects to change password in a TestOU and this still does not
work.
> >
> > Any help or information would be welcome and appreciated. Thanks for
reading
> > the post.
> >
> > Thanks,
> >
> > Scott R
> >
> >
> >
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom