Making some changes in domain controller security policy

Posted on 2006-06-07
Last Modified: 2010-04-18

I want to change a policy in domain controller security policy, I want to disable "Microsoft network server: digitally sign communications (always)." What can be affected by this change?
In detail i need to do the following->
your server is also a Domain Controller. In which case you need to open the DC's Security Policy (Administrative Tools > Domain Controller Security Policy). Navigate to Local Policies > Secuiry Options, and disable "Microsoft network server: Digitally sign communications (always)" & "Microsoft network server: Digitally sign communications (if client agrees)". Reboot your sever, and you should be good to go.

The reason i am doing this is because i am not able to access shared folders in my mac client that is on a windows server 2003 domain. If there is any other method or else if there is any issue in changing the above settings please let me know.



Question by:KidsTrainingTeam
    LVL 23

    Expert Comment

    Check out this very informative article about that setting and others:

    And for Mac clients to reach a 2003 file server, I highly recommend ADmitMAC

    LVL 23

    Accepted Solution

    BTW from that kb article:

    The following clients are incompatible with the Microsoft network server: Digitally sign communications (always) setting: • Apple Computer, Inc., Mac OS X clients
    • Microsoft MS-DOS network clients (for example, Microsoft LAN Manager)
    • Microsoft Windows for Workgroups clients
    • Microsoft Windows 95 clients without the DS Client installed
    • Microsoft Windows NT 4.0-based computers without SP3 or later installed
    • Novell Netware 6 CIFS clients
    • SAMBA SMB clients that lack support for SMB signing

    So yes, you are right on track if you want to go that route.
    LVL 21

    Expert Comment

    I'm with TheCleaner, you should look into AdmitMAC.

    You can make that same change in the LOCAL Security Policy on your File Share Server (start, run, secpol.msc)  This way it will only get changed for that server instead of every server in the domain.

    FYI - I have those settings disabled on a W2k3 and W2k3-R2 file share server in my Domain and I have not noticed any adverse affects.  I had to disable it because I was using a DNS alias to access my file share server.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
    Learn about cloud computing and its benefits for small business owners.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now