JSI Tip 2625. New Windows 2000 RestrictAnonymous registry value.

We first introduced RestrictAnonymous in tip 0455.

With Windows 2000, RestrictAnonymous can have the following data values at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA:

0 - None. Rely on default permissions.

1 - Do not allow enumeration of SAM accounts and names.

2 - No access without explicit anonymous permissions.

When set to a 2 the access token for non-authenticated users does not include the Everyone group. Thus resources that grant permissions to the Everyone group can no longer be accessed with an anonymous log on. Many Windows 2000 services and 3rd party programs rely on anonymous access to perform legitimate tasks.

The following are restricted when RestrictAnonymous is set to a 2:

1. An administrator is a trusting domain can not grant local access to a user in a trusted domain.

2. Down-level members can't set up a netlogon secure channel.

3. Down-level domain controllers in a trusting domain can't set up a netlogon secure channel.

4. Windows NT clients can't change their password after it expires.

5. Macintosh users can't change their password.

6. The Browser service can't retrieve domain or server lists from backup / Master / Domain Master browsers that have RestrictAnonymous set to a 2.

Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients.

In a pure Windows 2000 environment, make sure you thoroughly test before using this setting.