Re: Acess denied when deleting print jobs - fixed on Win2003 - how on 2000?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

several KBs at microsoft.com, looks like regkey settings for win2k

Using the RestrictAnonymous registry value to control null sessions
Warning Serious problems might occur if you modify the registry incorrectly
by using Registry Editor or by using another method. These problems might
require that you reinstall your operating system. Microsoft cannot guarantee
that these problems can be solved. Modify the registry at your own risk.

The most common way to control null sessions in Windows 2000 and Windows NT
environments is to use the RestrictAnonymous registry value. The
RestrictAnonymous registry value lets you prevent enumeration of sensitive
information over null sessions. The RestrictAnonymous registry value was
introduced in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and is now
included with Windows 2000. The RestrictAnonymous registry value is added to
the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The RestrictAnonymous registry value lets you configure local computer
policy to determine whether authentication is required to perform common
enumeration functions. There are different RestrictAnonymous registry values
for Windows NT 4.0 and Windows 2000.

In a Windows 2000 environment, you can set the RestrictAnonymous registry
value to 0, 1, or 2. When you set this registry value to 0, anonymous
connections can list account names and enumerate share names. When you set
this registry value to 1, anonymous enumeration of SAM accounts and share
names is not permitted.

Note Even with the RestrictAnonymous registry value set to 1, there are
Win32 programming interfaces that do not restrict anonymous connections.
Therefore, tools that use these interfaces can still enumerate information
over a null session even when the RestrictAnonymous registry value is set to
1.

Finally, when this registry value is set to 2, no access is granted without
explicit anonymous permissions. Therefore, no null sessions are possible,
not even through Win32 programming interfaces. Generally, we do not
recommend that you set the RestrictAnonymous registry value to 2 in
mixed-mode environments that include down-level client computers such as
Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98.

In a Windows NT 4.0 environment, you can set the RestrictAnonymous registry
value to 0, 1, or not defined. When you set this value to 0, or when this
value is not defined, anonymous connections can list account names and
enumerate share names. When you set this value to 1, anonymous connections
from the graphical user interface (GUI) tools for security management
receive an "access denied" error message when they try to obtain the list of
account names.

Note Even when the RestrictAnonymous registry value set to 1, there are
Win32 programming interfaces that do not restrict anonymous connections.
Therefore, tools that use these interfaces can still enumerate information
over a null session even when this registry value is set to 1.

The following features were introduced together with the RestrictAnonymous
registry value: . Authenticated Users group
. Restricting anonymous list of share names
. Restricting anonymous remote registry access


--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

<dbouton@xxxxxxxx> wrote in message
news:1147879886.289210.260960@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I had a problem with users getting Acess Denied when trying to delete
print jobs when they are set up to manage documents. I found the
problem on my 2003 servers. The Network Access: Restrict anonymous
acees to Named Pipes and Shares was Enabled. As soon as I disabled
this all worked fine. However I cannot find this local policy in 2000
server. I'm guessing this is the same problem but any ideas where this
policy may be on 2000 server?

Thanks
Dawn



.

Relevant Pages

  • Re: Acess denied when deleting print jobs - fixed on Win2003 - how on 2000?
    ... Using the RestrictAnonymous registry value to control null sessions ... The most common way to control null sessions in Windows 2000 and Windows NT ... Win32 programming interfaces that do not restrict anonymous connections. ... tools that use these interfaces can still enumerate information ...
    (microsoft.public.win2000.printing)
  • Re: server access
    ... Microsoft Windows NT users are not able to change their passwords after ... The Browser service is not able to retrieve domain lists or server lists ... from backup browsers, master browsers or domain master browsers that are ... running on computers with the RestrictAnonymous registry value set to 2. ...
    (microsoft.public.windows.server.migration)
  • Re: NT 2000 Trust relationship fails
    ... 246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 ... Windows 2000 Directory Services ... When trying to setup a trust> relationship, it gives an error msg from the> windows 2000 DC saying that "The secure channelquery> on domain controller \\server1 of domain TEST to domain> SKY failed with error: ...
    (microsoft.public.win2000.active_directory)
  • RE: Can not start Net Logon at NT4 BDC after upgrade to 2003 domain
    ... RestrictAnonymous registry value to 2, which can occur by editing the ... resolution is to change the restrictanonymou reigstry key to 0. ... 246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 ...
    (microsoft.public.windows.server.migration)
  • RE: Null Session Fix not working on Domain Controllers
    ... I think this is relevant link you're probably looking for: ... How to Use the RestrictAnonymous Registry Value in Windows 2000 ... > are still able to enumerate just the usernames. ...
    (microsoft.public.win2000.security)