LAN Manager authentication level

[Ziek]

if I want to set the authentication level through group policy, would I do
this on the domain controller GPO, or the default domain policy?

Also, I see lots of people editing the account lockout policies on the
default domain policy, but doesn't this really belong on the domain
controllers GPO, since the accounts really reside on the domain controller?

 

[Steven L Umbach]

If you want to apply lan manager authentication level setting to domain
computers then set it at the domain level. If you want to apply it to only
domain controllers then configure it in Domain Controller Security Policy.
If you have no downlevel clients in the domain such as W9X then you should
be able to safely configure send ntlmv2 responses only/refuse lm at the
domain and domain controller level. All account/password policy for domain
users including account lockout must be configured at the domain level.
Domain controllers read account/password policy at the domain level. ---
Steve

 

[lforbes]

if I want to set the authentication level through group policy, would

I do this on the domain controller GPO, or the default domain policy?

Also, I see lots of people editing the account lockout policies on the

default domain policy, but doesn’t this really belong on the
domain
controllers GPO, since the accounts really reside on the domain
controller?

If you are talking about the Password Policy settings when you say
"authentication level" then it must be done at the Default Domain GP
because that is the only place it will work. I never Touch the Domain
Controllers OU ever. I leave it exactly as it is because it contains a
lot of default settings that can cause lots of problems if you mess
with them.

The Accounts reside in the Domain. The Domain Controllers GP is to
control the "Domain Controller Computer" accounts, nothing else.

Cheers,

Lara