JSI Tip 2625. New Windows 2000 RestrictAnonymous registry value.

Jerold Schulman

July 20, 2000

1 Min Read
ITPro Today logo in a gray background | ITPro Today

We first introduced RestrictAnonymous in tip 0455.

With Windows 2000, RestrictAnonymous can have the following data values at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA:

0 - None. Rely on default permissions.

1 - Do not allow enumeration of SAM accounts and names.

2 - No access without explicit anonymous permissions.

When set to a 2 the access token for non-authenticated users does not include the Everyone group. Thus resources that grant permissions to the Everyone group can no longer be accessed with an anonymous log on. Many Windows 2000 services and 3rd party programs rely on anonymous access to perform legitimate tasks.

The following are restricted when RestrictAnonymous is set to a 2:

1. An administrator is a trusting domain can not grant local access to a user in a trusted domain.

2. Down-level members can't set up a netlogon secure channel.

3. Down-level domain controllers in a trusting domain can't set up a netlogon secure channel.

4. Windows NT clients can't change their password after it expires.

5. Macintosh users can't change their password.

6. The Browser service can't retrieve domain or server lists from backup / Master / Domain Master browsers that have RestrictAnonymous set to a 2.

Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients.

In a pure Windows 2000 environment, make sure you thoroughly test before using this setting.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like