Re: Printers dont assign after GPO Security changes...


"Hutchy" <Hutchy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8E48FD7D-F2E3-4F0F-A03F-47C0F26DBFE9@xxxxxxxxxxxxxxxx
Hi guys,

Got a bit of a complicated one so put your thinking caps on.

We've gone through recently and tightened down our Win2k3 domain (with
only
WinXP clients) using Group Policy.

Since we have made some changes, most of which are recommended or
required,
clients are no longer having their printers mapped via logon script.

These are the Security GPO changes made:

- Domain controller: LDAP server signing requirements (Require signing )
- Domain member: Digitally encrypt or sign secure channel data (always)
(Enabled)
- Domain member: Require strong (Windows 2000 or later) session key
(Enabled)
- Network access: Allow anonymous SID/Name translation (Disabled)
- Network access: Do not allow anonymous enumeration of SAM accounts
(Enabled)
- Network access: Do not allow anonymous enumeration of SAM accounts and
shares (Enabled)
- Network access: Let Everyone permissions apply to anonymous users
(Disabled)

As for the printers users were getting their access via the EVERYONE
group.
I have confirmed that as far as the Printer groups go, everyone is a
member
of their associated groups.

The logon script says that if you are a member of that group, then map
that
specific printer. Since the groups arent assigned to the printers, they
were
naturally getting their access (previously) via the EVERYONE group.

Since the above security changes, users seem to have lost their access to
the EVERYONE group and the logon script is no longer installing the
printers
for them.

I can confirm that the logon script has not changed since no one here
knows
VB :o)

It was definitely one of the above changes. Can anyone think of which one?

Thankyou

Hutchy


.

Relevant Pages

  • Re: Access Denied Browsing Solution
    ... >I then went into Local Security Policy and set: ... >Network Access: Do not allow anonymous enumeration of SAM ... registry keys do, and if they are the same as the LSP settings. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Cannot connect via Linked Server
    ... Network access: Do not allow anonymous enumeration of SAM accounts and shares: Disabled ... assistance from a Microsoft Support Professional through Microsoft Product ... Microsoft SQL Server Support Professional ...
    (microsoft.public.sqlserver.connect)
  • Re: LookupAccountName behavior dependent upon operating system of global catalog (GC)
    ... I checked the policy settings you noted earlier. ... Network access: Do not allow anonymous enumeration of SAM accounts - ENABLED ...
    (microsoft.public.platformsdk.security)
  • RE: Windows 95 - DSCLIENT
    ... your nt 4 pcs should be fine as well as any win 98 SECOND edition pcs. ... > B. Microsoft network client: ... > D. Network access: Do not allow anonymous enumeration of SAM accounts ...
    (microsoft.public.windows.server.migration)
  • Anonymous enumeration still enabled
    ... domain controller. ... I have applied all of the "network access" settings ... Do not allow anonymous enumeration of SAM ... Named pipes can be accessed anonymously|DISABLED ...
    (microsoft.public.security)