Security options don't appear when editing from DC

I

Ian Boyd

i'm trying to disable LM Hash storing on my domain controller.

i log onto the domain controller, and go to the entire domain's default
group policy.

Then it's
Computer Configuration
Security Settings
Local Policies
Security Options

but the required option:
Network security: Do not store LAN Manager hash value on next password
change

doesn't appear.


In fact, there are no "Network security: " options. In fact, there are no
category prefixes at all.

But when i use the admin tools pack from an XP machine in the domain, the
option appears fine (although appears to have no effect - as LM Hashes are
still being generated and stored).


How do i enable all group policy options to appear in the group polic
editor?
 
M

Matjaz Ladava [MVP]

This option is listed only in Windows Server 2003 or XP management console,
so you must change them from there. If you wan't to prevent your DC's to
store LM hashes, then do this at domain Controllers Group Policy. If you
wan't this setting to work on all your clients for their local SAM database,
then implement this policy on OU, that holds their computer accounts.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)
 
I

Ian Boyd

If you wan't to prevent your DC's to
store LM hashes, then do this at domain Controllers Group Policy.
Click to expand...

Turns out, that's not true.

You can administer the DC from XP or 2003, but all that tool does is create
a NoLMHash=1 value in the registry on the Domain Controller machine.

For Windows 2000 DC's, that registry value has no effect.

So you cannot use the Domain Controll group policy, or create a NoLMHash=1
registry value.


The secret is to create a registry key called "NoLMHash" in the same place
you would create a "NoLMHash=1" value.


Nice that Microsoft makes it so secret.
 
J

Jerold Schulman

See tip 4176 in the 'Tips & Tricks' at http://www.jsiinc.com

i'm trying to disable LM Hash storing on my domain controller.

i log onto the domain controller, and go to the entire domain's default
group policy.

Then it's
Computer Configuration
Security Settings
Local Policies
Security Options

but the required option:
Network security: Do not store LAN Manager hash value on next password
change

doesn't appear.


In fact, there are no "Network security: " options. In fact, there are no
category prefixes at all.

But when i use the admin tools pack from an XP machine in the domain, the
option appears fine (although appears to have no effect - as LM Hashes are
still being generated and stored).


How do i enable all group policy options to appear in the group polic
editor?
Click to expand...


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
O

Oli Restorick [MVP]

You're correct.

It's so secret that it's in the knowledge-base. What's more astonishing is
that the search tool even found it based on the search term "nolmhash".
It's also documented in the Windows 2000 Security Hardening Guide, among
other places.

http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

The reason for using group policy to manage this is to ensure that all
domain controllers are configured identically, which is important for AD to
function well.

Regards

Oli
 
I

Ian Boyd

It's so secret that it's in the knowledge-base. What's more astonishing
is
that the search tool even found it based on the search term "nolmhash".
It's also documented in the Windows 2000 Security Hardening Guide, among
other places.

http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

The reason for using group policy to manage this is to ensure that all
domain controllers are configured identically, which is important for AD to
function well.
Click to expand...


What makes it a secret, is that using the group policy doesn't work for
Windows 2000 DC.

Additionally, if you do try to use the group policy, it creates a dummy
nolmhash value.

So, when i try to implement the policy, i first try the group policy. And
that fails. So i check for something called nolmhash that step#2 mentions -
yup, that's there.


The 3 times i read step#2, i thought it said nolmhash with no value; and
that if you have Win2k3 or XP, then instead of blank, make it 1.


But of course, that's wrong.


Is it a RTFM type situation? Yes. But the manual is subtle.
 
O

Oli Restorick [MVP]

Got you. It is confusing that it's different between releases.

I'm assuming your DCs are Windows 2000, but out of interest, which version
and service pack of Windows are you using to manage group policy?

Cheers

Oli
 
I

Ian Boyd

Got you. It is confusing that it's different between releases.
I'm assuming your DCs are Windows 2000, but out of interest, which version
and service pack of Windows are you using to manage group policy?
Click to expand...

i was using XP SP1 to manage the domain policy, since managing the policy
from the group policy editor on the domain controller itself wouldn't show
the option.

And it was XP SP1 with some version of the Admin Services Tools Pack.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Interesting Password Behaviour 4
Domain Controller Security Policy not overriding the Local Security Policy 3
Trying to understand cached credentials 2
Test Driving EFS - couple questions 4
Problem opening "Domain Security Policy" and "Domain Controller Security Policy" 1
New Group Policies do not show all available options 2
Policy option not appearing on DC 2
Group policy error - need help (details) 1

Top