Re: Restrict Anonymous Key

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/18/04 

Date: Fri, 17 Sep 2004 19:59:28 -0400

"Andy" <aclelland.nospam@rivermarkcu.org> wrote in message
news:197901c49ccf$f08bbeb0$a301280a@phx.gbl...
> Hello group, my question concerns the Restrict Anonymous
> setting in Windows 2000. We have Windows XP and Windows
> 2000 as our desktop OS and Server 2003 installed on some
> application servers and 2000 as the DC. I set the
> Restrict Anonymous registry key on the DC's to a vaule of
> 0 to allow users with Windows XP to change their password
> when it expires. However, the Registry Setting changes to
> a value of 2 overnight. How do you either prevent the
> registry key from changing or allow Windows XP users to
> access the DC when the key is set to a value of 2?
>
> Thanks for your information

Just FYI, RestrictAnonymous = 2 is not a valid value in XP or any OS other
than Windows 2000. That wrong setting alone may or may not cause problems,
but applying Windows 2000 group policy templates to any other OS is bad and
causes problems, because the settings change from OS to OS. Group Policy
templates are written for one OS and should never be applied to another OS.

With XP and 2003, you instead have RestrictAnonymous = 0 or 1 plus the new
RestrictAnonymousSAM = 0 or 1.

I think RestrictAnonymous=0 on domain controllers is not a great idea and
should not be necessary. It should be 1. Unless I'm mistaken, I don't
think you should have problems with XP changing passwords with this setting.
If you do, I think there are other registry values in that same area of
Group Policy that will fix this, such as possibly Everyone includes
Anonymous or adding users and computers to the "Pre-Windows 2000
Compatibility" group [this should not be necessary for XP clients, but may
be necessary for 9x and NT].

Relevant Pages

  • Re: Secondary DNS and PIX
    ... Windows Small Business Server 2008 Unleashed ... >> The path of the client programs folder for the ClientAppsRoot registry key ... >> is not the same as the path of the ClientApps shared folder. ... You should disable TCP Chimney on Windows SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: reg.exe script error
    ... > list of installed Hotfixes, ... > Windows XP Shell/User ... >>>> I get the following message whether or not the registry key is ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Really persistent BITS belly up
    ... You are a Windows God! ... Your fix worked. ... uninstall deleted that Registry key. ... > torgeir, Microsoft MVP Scripting, Porsgrunn Norway ...
    (microsoft.public.windowsupdate)
  • Re: DVD drive not reading sometimes after SP3
    ... Boot to Safe Mode and log on as the default "Administrator" account. ... Click the registry key for the user that is currently logged on and ensure that Read and Full Control are both set to Allow. ... There are no issues in device manager, I double checked for windows updates ... and there are none since reloading the computer 2 weeks ago, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: problem opening excel-word-access (office files in general ) double clicking in Windows
    ... I understand that you have disconnect to the network to test the issue. ... under Windows Safe mode, ... Repeat the step 2-4 for the following registry key. ... problem opening excel-word-access (office files in general) ...
    (microsoft.public.office.setup)