Re: GPO - password policy - Urgent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 2 Feb 2006 13:41:33 -0600
OK that explains a lot. What you can do is to use the mmc snapin for
security templates to examine the securedc.inf template and look under
security options where you will see exactly what security options were
changed and then refer to the KB article to see where incompatibilities
arise. Also you should know that for Windows 2003 you can use secedit to
create a rollback template that you must create before you apply a security
template so that you can apply the rollback template to undo changes so that
you could easily fix your problem. Right now I am looking at the
securedc.inf template and offhand I see your problem as lan manager
authentication level and do not store lan manager hash and maybe one ore
more of the anonymous access security settings that are defined. To start
with I would set lan manager authentication level on the domain controller
to be "sent lm and ntlm response" since you have W98 computers without the
DS client installed and later you could try setting it to "send ntlmv2
responses only" which should still let the server accept lm authentication.
Also for set store lm hash to disabled. I am not sure it that will do it or
if you will also need to tweak anonymous access settings but the KB article
can help with that and the link below to the Windows 2003 Server security
guide [I assume you are using Windows 2003??] should show recommendations
for the security options in question which you would want to use legacy
settings. After changing security settings run gpupdate /force on the
server. You could also view the setup security.inf security template to see
what it shows for security options and for those that were changed by
securedc.inf set it to what it shows for setup security.inf. --- Steve
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch04.mspx
--- Windows 2003 Server Security Guide
"Fernando Mantovani" <femantovani@xxxxxxxxxxxx> wrote in message
news:%23gi1mkCKGHA.3876@xxxxxxxxxxxxxxxxxxxxxxx
Steven thank you very much for your help.. I`m still reading the kb
articles...
There is a way to TOTALLY RESET the default domain policy and default
controller domain policy? I don`t think so, because after we set a value,
if we set the policy to not defined, the first value will still make
effect, correct?
I think I applied a .inf (was securedc.inf) that didn`t let 98 computers
to log on to domain..
Tks again,
Fernando
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:utCQKECKGHA.668@xxxxxxxxxxxxxxxxxxxxxxx
That is curious that you are having a problem with Windows 98 since I
would think Windows 98 would work with any password up to 14 characters
but I don't have a Windows 98 computer handy to try out such. I know that
if you disable storage of LM hashes you can have problems with Windows 98
computers if you also enforced that recently in which is done via a
security option for Windows 2003 domain controllers in either Local
Security Policy [secpol.msc] or Domain Controller Security Policy or a
registry entry for Windows 2000 domain controllers. You may also have
problems if you configure lan manager authentication level security
option to be too secure for domain controllers such as use ntlmv2 only
refuse lm or refuse lm and ntlm when using Windows 98 computers in the
domain. To disable password complexity you set it to disabled in Domain
Security Policy or whatever domain level GPO that is applying password
policy. The link below explains some of the problems you can have with
downlevel clients such as Windows 98 with certain security option
settings. So what I would do is to check lan manager authentication
level for domain controllers and make sure storage of lm hashes is not
disabled to see if that helps or not and check the KB article for other
possible incompatibilities and I really doubt it is related to password
complexity if the minimum password length is 7 characters and the user is
not trying to use a password over 14 characters. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656 ---
info on disabling lm hash
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869 --- lan
manager authentication level
"Fernando Mantovani" <femantovani@xxxxxxxxxxxx> wrote in message
news:eSWTKaBKGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
I`m really desperate!!!
I have installed a new domain, with XP and 98 workstatioins. Everythings
works fine!
So, I changed the password policy to enable complexity with a minimum of
7
characters. Only after this I saw that 98 can`t use password complexity,
he
only accepts with dsclient.exe and a dword in the registry to force
NTLMv2
authentication (I tried this too, but with this setting, I can`t log on
even
with the enterprise admin (that has temporarily a simple password)).
So, my problem is that I changed the default domain policy to disable
password complexity but I can`t change to a simple password in any
users of
my domain.
Is there a way to reset to "default" the default domain policy and the
default controller domain policy?
Someon has any ideas??
Tks!
.
- References:
- GPO - password policy - Urgent
- From: Fernando Mantovani
- Re: GPO - password policy - Urgent
- From: Steven L Umbach
- Re: GPO - password policy - Urgent
- From: Fernando Mantovani
- GPO - password policy - Urgent
- Prev by Date: Re: GPO - password policy - Urgent
- Next by Date: Re: GPO - password policy - Urgent
- Previous by thread: Re: GPO - password policy - Urgent
- Next by thread: Re: GPO - password policy - Urgent
- Index(es):
Relevant Pages
|
