Re: Where to Enable the Restricting NULL policies Settings


Charles schrieb:
Question about where to set the two network access policies called:
“Do not allow anonymous enumeration of SAM accounts and shares” and “Do not allow anonymous enumeration of SAM”. If I want to prevent users from having access to only 5 servers in the domain would I just enable these settings on those 5 servers only? Initially I thought that this needed to be set on the domain controllers only which would prevent this type of NULL access for all servers in the domain since the accounts live on the DCs. But now I’m thinking it only needs to be set on the servers that require this restriction. Is this correct?

have you read the Explain texts of the policies? Just asking - people sometimes get confused by those two policies and their use. Assuming you know what these two policies are about, I suggest you enable these settings on the five servers only. The best way to accomplish this is create a new OU and move the five servers in there. Then apply a Group Policy to it and enable the settings.

Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
Maillist (german):