Can't log in NT4 svr after applying Security patch

  • Thread starter Thread starter WS
  • Start date Start date
W

WS

We have a NT server in Windows 2000 native mode domain.
Since we applied Windows security update which released
during Blaster Worm outbreak, we are having problem to
logon into a NT 4.0 server and a few of NT 4 workstations.
We have upgraded those workstations to Windows 2000,
However,we can't move the server due some legacy Apps
installed in it. We are able to logon into the server with
local admin account, but domain accounts. We even tried to
rejoin the server to the domain. Still, we can't logon as
domain admin. Any idea how can we fix it?

Thanks!

WS
 
WS,

The most likely cause for the problem is additional restrictions introduced
by your security patch. Please check these two values in the registry:

1. HKLM\CCS\Control\LSA - restrictanonymous value should be set to 0. If
it is not, please change it here manually.

2. HKLM\CCS\Control LSA - lmcompatability value should be set to 0. If it
is not, please change it as well.

A reboot is required before these changes take effect.

Normally these values are changed as a result of group policy. If these
values are set via group policy, they will be reenabled every 15 minutes or
so. Before you reboot, please check and see if the following policies have
been enabled. Check the local security policy, default domain policy and
default domain controller policies for the following:

1. Computer configuration - Windows settings - Security settings - local
policies - Security options - "additional restrictions for anonymous
connections" This should be set to not defined or "None. Rely on default
settings"

2. Computer configuration - Windows settings - Security settings - local
policies - Security options - "Lan Manager authentication Level". This
setting should be set to not defined or to "Send LM & NTLM responses"

3. Computer configuration - Windows settings - Security settings - local
policies - Security options - "Digitally sign server communication (always)"
and Digitally sign client communications (always) should also be set to not
defined or diabled.


Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights
 
Back
Top