Re: AD and WinXP
From: Thomas Foster [MS] (a-thomf@online.microsoft.com)
Date: 06/21/02
- Next message: Matt Osborne: "Communicating with the Group Policy and Security Settings Snap-in"
- Previous message: Michael [MS]: "Re: Disable IIS banners?"
- In reply to: John Singler: "AD and WinXP"
- Next in thread: John Singler: "Re: AD and WinXP"
- Reply: John Singler: "Re: AD and WinXP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas Foster [MS]" <a-thomf@online.microsoft.com> Date: Thu, 20 Jun 2002 15:56:04 -0700
Hi John,
When "RestrictAnonymous" is changed to 2, the access-token for
non-authenticated users doesn't include the "Everyone" group, and because of
this, the access token no longer has access to those resources which grant
permissions to the "Everyone" group. But, many services and programs rely on
anonymous access to function. This can be overcome by explicitly assigning
the "Everyone" group permissions to specific objects in the tree.
Now, by default the Everyone group does not have the Change Password right
on a user object, so passwords cannot be changed over the null session
connection established between the workstation and a domain controller.
Instead, an authenticated session is required to change a password. The
most common way to overcome this is to assign the "Everyone" group the
"Change Password" permission.
Even adding the "Everyone" group to have permissions on the container in
which the user objects exist. Make sure that inheritance is not blocked by
the user. This would not propogate the "Change Password" ACE at the
container level, and you would have to grant the ACE to each user object in
the container explicitly.
Once you have verified propogation of the ACE, a default Domain Controller
Policy must exist that allows the group "Everyone" the policy right to
"Access this computer from the network"
The final probabilities to examine in the domain would be not only the fully
qualified domain name space (including the correct forward and reverse
records for the given hosts) but the synchronization of time within the
domain. The lack of reverse lookup for objects in your zone might prevent
proper authentication.
I hope this helps in answering any questions you might have about
restricting Anonymous Access in Windows 2000.
-- Thomas Foster Microsoft Support Get Secure! : http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. "John Singler" <singler@vet.upenn.edu> wrote in message news:1051901c2185e$01b88ea0$9ae62ecf@tkmsftngxa02... > Greetings, > > We have an Active Directory environment with mixed clients > (win98, 2k, XP). > > Our security model is such that we have set > RestrictAnonymous to 2 on our Domain Controllers (for more > info. please see MSKB Q246261): > > <http://support.microsoft.com/directory/article.asp? > ID=KB;EN-US;Q246261&> > > I know this breaks some functionality for DOWN-LEVEL > clients (ie. when a user on a win98 box is forced to > change their password they are no longer able to do so). > I can live with problematic down-level clients but I am > seeing similar behavior from WinXP boxes (ie. when forced > to change their password users are not able to, resulting > in the error message "You Do Not Have Permission to Change > your Password" - though if you are already logged in to a > WinXP box and choose to change your password you can do > so). > > I thought this > <http://support.microsoft.com/directory/article.asp? > ID=kb;en-us;Q258788> might be the answer but it isn't. > > So, finally, here is my question: Does anyone have an > environment configured like ours (restrictanonymous = 2), > with winXP members, whose users can/cannot change their > passwords when they are FORCED to? > > TIA.
- Next message: Matt Osborne: "Communicating with the Group Policy and Security Settings Snap-in"
- Previous message: Michael [MS]: "Re: Disable IIS banners?"
- In reply to: John Singler: "AD and WinXP"
- Next in thread: John Singler: "Re: AD and WinXP"
- Reply: John Singler: "Re: AD and WinXP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
