A
azfatboy
Ok, so I have a few servers (my domain controllers and a few others--all running 2012r2) that I need to increase security, and require LANMAN Auth level of 5 (Send NTLMv2 response only. Refuse LM & NTLM). It appears that the default setting on all these servers is level 3 (Send NTLMv2 response only).
If I try to set the level with a GPO, it applies okay (GPRESULT confirms a setting of 5), but when I check the machine with SECPOL, it is only set to 3!!! (and now it's grayed out, of course). This happened on every machine! So I removed the setting from the GPO.
With the GPO out of the way, I made the change locally (using SECPOL) on my non-DCs, and it seems to be sticking. I guess I should be happy because...
But on my DCs, if I change that setting locally, either in SECPOL or straight in the registry, it sticks for about 5 minutes, and then changes back to 3!
Why isn't a GPO working to set the level higher than 3 on *any* server, and why won't the DCs take even a local change???
Continue reading...
If I try to set the level with a GPO, it applies okay (GPRESULT confirms a setting of 5), but when I check the machine with SECPOL, it is only set to 3!!! (and now it's grayed out, of course). This happened on every machine! So I removed the setting from the GPO.
With the GPO out of the way, I made the change locally (using SECPOL) on my non-DCs, and it seems to be sticking. I guess I should be happy because...
But on my DCs, if I change that setting locally, either in SECPOL or straight in the registry, it sticks for about 5 minutes, and then changes back to 3!
Why isn't a GPO working to set the level higher than 3 on *any* server, and why won't the DCs take even a local change???
Continue reading...