.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
How do I fix broken trust relationships in my mixed domain after I implement the RestrictAnonymous registry setting?
John Savill
September 17, 2001
1 Min Read
A. The HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaRestrictAnonymous registry subkey can have a value of 0, 1, or 2. The value 0 means rely on default permissions; the value 1 means don’t allow enumeration of SAM accounts and names; the value 2 means no access without explicit anonymous permissions. You can use a value of 0 or 1 on any domain controller (DC), but you should use a value of 2 only on Windows 2000 machines.
If you work in a mixed networking environment with Win2K and Windows NT 4.0 DCs, don't set the RestrictAnonymous subkey to a value of 2 on any participating DC, because doing so will break two-way trust relationships that involve NT 4.0 DCs. To correct this problem, set the subkey to a value of 0 or 1.
Start regedit.
Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey.
Double-click RestrictAnonymous.
Set the value to 0 or 1, and click OK.
Close the registry editor.
Break and re-establish all trust relationships.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
