I did go to ADUC. The thing that was concerning me was the command they said to use was
Net localgroup ... It would appear that this command modifies a local group. Is the "Pre-Windows 2000 Compatible Access" found in ADUC a local group? The web page you directed me to appears to be for W2K. Is that still valid for W2k3? Thanks for your help. Curt > -----Original Message----- > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 30, 2008 11:18 AM > To: NT System Admin Issues > Subject: RE: Eliminating Anonymous connections to DCs > > Huh? > > Open ADUC. Goto the Builtin container. Look in "Pre-Windows 2000 > Compatible > Access". > > What's under the Members tab? > > Otherwise, you need to look at the RestrictAnonymous registry key and > domain > policy. > > http://support.microsoft.com/kb/246261/ for the registry key. Click > around > in "Default Domain Policy" for the policy. > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 30, 2008 1:49 PM > To: NT System Admin Issues > Subject: Eliminating Anonymous connections to DCs > > Sorry for the long post. I'd appreciate it if you could hang in there > and read through this. My question is, are anonymous connections > eliminated? > > A document I have says "After you upgrade all the servers in the domain > hosting services that run as Local System and use Anonymous or null > credentials when accessing a domain controller. Such as Windows NT 4.0 > RAS servers, remove the Everyone and Anonymous Logon groups from the > Pre-Windows 2000 Compatible Access built-in group. This task increases > the security of your domain by preventing anonymous connections to the > domain controllers." > > The document then suggests to do so with the command > > Net localgroup "Pre-Windows 2000 Compatible Access" groupname /delete > > I can't remember if I did this back when I upgraded from NT to Server > 2003. I'm now running both the forest and domain in Server 2003 mode > with all DCs running Server 2003. > > I logged onto my DC and executed the above command with Everyone > substituted in for groupname. I got error > > System error 2 has occurred > The system file cannot find the file specified > > Doing the same substituting in anonymous for groupname I got error > There is no such global user or group: Anonymous > > I read you can test to see if anonymous access is disabled with the > command > Net user \\servername\ipc$ /u:"" "" > I executed this command from another computer on the network and got > "Logon failure: unknown user name or bad password." > > I also read you can test anonymous access with the command > Net user \\ipc$ /u:"" "" > I executed this command while logged on to the DC and got "System error > 67 has occurred." I wasn't sure if this command was actually valid so > I > retried with a slight modification > Net user \\localhost\ipc$ /u:"" "" > This time I got "The command completed successfully. > > So the question is, is anonymous access still enabled or do I need to > do > something further to disable it? Thanks for your help. > > Curt > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
