Re: Where to Enable the Restricting NULL policies Settings



Charles,

Charles schrieb:
Question about where to set the two network access policies called:
“Do not allow anonymous enumeration of SAM accounts and shares” and “Do not allow anonymous enumeration of SAM”. If I want to prevent users from having access to only 5 servers in the domain would I just enable these settings on those 5 servers only? Initially I thought that this needed to be set on the domain controllers only which would prevent this type of NULL access for all servers in the domain since the accounts live on the DCs. But now I’m thinking it only needs to be set on the servers that require this restriction. Is this correct?

have you read the Explain texts of the policies? Just asking - people sometimes get confused by those two policies and their use. Assuming you know what these two policies are about, I suggest you enable these settings on the five servers only. The best way to accomplish this is create a new OU and move the five servers in there. Then apply a Group Policy to it and enable the settings.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
.



Relevant Pages

  • Re: LookupAccountName behavior dependent upon operating system of global catalog (GC)
    ... I checked the policy settings you noted earlier. ... Network access: Do not allow anonymous enumeration of SAM accounts - ENABLED ...
    (microsoft.public.platformsdk.security)
  • Re: Disable Null Sessions
    ... Do not allow anonymous enumeration of SAM accounts ... When I try to test I get the same results on my existing servers as I do on ...
    (microsoft.public.windows.server.security)
  • Disable Null Sessions
    ... Do not allow anonymous enumeration of SAM accounts ... I was wondering the easiest way to verify that the null sessions have been ... When I try to test I get the same results on my existing servers as I do on ...
    (microsoft.public.windows.server.security)
  • Re: Local Group Policy versus OU (Time Service)
    ... One way I'd skin this is, if those servers are all over your domain (i.e. ... I very rarely come across a lot of differences in policy btw the PDC role ... because they'll all have identical settings. ... > lot of Group Policy settings differently on your DC's and member servers ...
    (microsoft.public.windows.group_policy)
  • Re: Continual disconnections
    ... Looking at the ipconfig/all info, look at the line that says DNS ... This will bring up your Local Area Connection properties box. ... IP addresses from what the ipconfig /all lists beside DNS Servers ... On this page Under the tab IP Settings You can see headings..Ip Addresses ...
    (microsoft.public.windowsxp.network_web)