Restrict Anonymous

S

Scott R

Hello,

Recently as a security measure we've implemented the registry change that
successfully restricts anonymous.
Running W2K SP4.

ex.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
with a setting of 2.

One of the side effects is that when a user's password expires they receive
a statement that they "do not have permissions to change their password". If
by chance they are prompted that the password will expire in XX days they
are successful in changing their passwords after they log on and are
validated.

I don't want to circumvent the security this feature adds but I do want to
stop the calls from end-users we are receiving due their inability to change
their password. I tried letting the everyone group have the permission on
user objects to change password in a TestOU and this still does not work.

Any help or information would be welcome and appreciated. Thanks for reading
the post.

Thanks,

Scott R
 
S

Steven L Umbach

As you mentioned, that is one of the documented affects of implementing setting 2. I
am not aware of any work around and you will have to make the decision of what is
more important - the "2" setting or users being able to change their passwords before
logging on. If you set it to "1" in the Domain Controller Security Policy, users
should be able to change their passwords before logging on again. If you have a
properly configured firewall , have implemented a complex password policy, and an
account lockout policy with a threshold of no less than ten lockout attempts that
would be not a high risk change in my opinion. --- Steve
 
S

Scott R

Steven,

Thank you for taking the time to read my post and also your suggestions.

Scott R
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top