It looks like an excerpt is available on the web http://www.microsoft.com/mspress/books/sampchap/5567b.aspx
Thanks for looking at this for me. Curt > -----Original Message----- > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 30, 2008 11:40 AM > To: NT System Admin Issues > Subject: RE: Eliminating Anonymous connections to DCs > > The registry key is still valid. However, the preferred mechanism for > 2003 > and above is to use the Domain Policy. > > I don't think the document you are referring to is valid. There are no > local > groups on domain controllers. By definition. > > If it's available on the web, give me a link and I'll take a look. > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 30, 2008 2:31 PM > To: NT System Admin Issues > Subject: RE: Eliminating Anonymous connections to DCs > > I did go to ADUC. The thing that was concerning me was the command > they > said to use was > > Net localgroup ... > > It would appear that this command modifies a local group. Is the > "Pre-Windows 2000 Compatible Access" found in ADUC a local group? > > The web page you directed me to appears to be for W2K. Is that still > valid for W2k3? > > Thanks for your help. > > Curt > > > -----Original Message----- > > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 30, 2008 11:18 AM > > To: NT System Admin Issues > > Subject: RE: Eliminating Anonymous connections to DCs > > > > Huh? > > > > Open ADUC. Goto the Builtin container. Look in "Pre-Windows 2000 > > Compatible > > Access". > > > > What's under the Members tab? > > > > Otherwise, you need to look at the RestrictAnonymous registry key and > > domain > > policy. > > > > http://support.microsoft.com/kb/246261/ for the registry key. Click > > around > > in "Default Domain Policy" for the policy. > > > > Regards, > > > > Michael B. Smith > > MCSE/Exchange MVP > > http://TheEssentialExchange.com > > > > > > -----Original Message----- > > From: Jim Dandy [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 30, 2008 1:49 PM > > To: NT System Admin Issues > > Subject: Eliminating Anonymous connections to DCs > > > > Sorry for the long post. I'd appreciate it if you could hang in > there > > and read through this. My question is, are anonymous connections > > eliminated? > > > > A document I have says "After you upgrade all the servers in the > domain > > hosting services that run as Local System and use Anonymous or null > > credentials when accessing a domain controller. Such as Windows NT > 4.0 > > RAS servers, remove the Everyone and Anonymous Logon groups from the > > Pre-Windows 2000 Compatible Access built-in group. This task > increases > > the security of your domain by preventing anonymous connections to > the > > domain controllers." > > > > The document then suggests to do so with the command > > > > Net localgroup "Pre-Windows 2000 Compatible Access" groupname > /delete > > > > I can't remember if I did this back when I upgraded from NT to Server > > 2003. I'm now running both the forest and domain in Server 2003 mode > > with all DCs running Server 2003. > > > > I logged onto my DC and executed the above command with Everyone > > substituted in for groupname. I got error > > > > System error 2 has occurred > > The system file cannot find the file specified > > > > Doing the same substituting in anonymous for groupname I got error > > There is no such global user or group: Anonymous > > > > I read you can test to see if anonymous access is disabled with the > > command > > Net user \\servername\ipc$ /u:"" "" > > I executed this command from another computer on the network and got > > "Logon failure: unknown user name or bad password." > > > > I also read you can test anonymous access with the command > > Net user \\ipc$ /u:"" "" > > I executed this command while logged on to the DC and got "System > error > > 67 has occurred." I wasn't sure if this command was actually valid > so > > I > > retried with a slight modification > > Net user \\localhost\ipc$ /u:"" "" > > This time I got "The command completed successfully. > > > > So the question is, is anonymous access still enabled or do I need to > > do > > something further to disable it? Thanks for your help. > > > > Curt > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
