Mac Connected to Windows Domain

Hello All,

First a thanks to all the great solutions I have found on this site. Such a time saver.

Connecting Two Mac's to Windows Server 2003 Domain. I follow the instructions below and Macs are able to connect to the Shared Folder.

 open up regedit (Start > Run > "regedit" {return}), and navigate to HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ LanManServer \ Parameter \ RequireSecuritySignature, and set it's value to "0".


This works but it will not stay working. Every time I remote into the Server the Value is set back to '1'. Any idea how to make the '0' value stay '0'.

Thanks
talcottnetworksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

This settings is configured by group policy. Use "gpresult /v" on file server to determine which policy applies to your computer and then change the setting.

More information on SMB signing:

"Overview of Server Message Block signing"
http://support.microsoft.com/kb/887429

HTH

Toni
0
talcottnetworksAuthor Commented:
Tony,

Thanks for the quick reply.

I am not too familiar with this command. Is there a way I can change this setting manually in Group Policy and it will stick?

Thanks.
0
Toni UranjekConsultant/TrainerCommented:
Yes, but first you have to find out which policy object is applied. Use "gpresult /v > gpo.log", upload gpo.log here and I will give you detalied instructions.

Right now I believe that your registry change is being overwritten by policy setting.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

talcottnetworksAuthor Commented:
If you could give me detailed instructions in regards to this I would appreciate it. I know its annoying, I am just not familiar with the process.
0
Toni UranjekConsultant/TrainerCommented:
Go to file server, Start, Run, cmd, Enter. Type: "gpresult /v > gpo.txt". Then post gpo.txt file here. You van remove all security sensitive information, like domain name or computer names and leave only computer part of configuration.
0
talcottnetworksAuthor Commented:
Here you go toniur: Thanks for your help.




Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/30/2008 at 10:26:00 AM



RSOP data for: Logging Mode
-------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
   
    Last time Group Policy was applied: 1/30/2008 at 10:25:13 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        HPS_SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaxServiceAge
                Computer Setting:  600

            GPO: Default Domain Policy
                Policy:            MaxTicketAge
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            MaxClockSkew
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

            GPO: Default Domain Policy
                Policy:            MaxRenewAge
                Computer Setting:  7

        Audit Policy
        ------------
            GPO: Default Domain Controllers Policy
                Policy:            AuditPolicyChange
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilegeUse
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditDSAccess
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditObjectAccess
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountManage
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditProcessTracking
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditSystemEvents
                Computer Setting:  Success

        User Rights
        -----------
            GPO: Default Domain Controllers Policy
                Policy:            MachineAccountPrivilege
                Computer Setting:  Authenticated Users
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyNetworkLogonRight
                Computer Setting:  DHG\SUPPORT_388945a0
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RestorePrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TcbPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyServiceLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ServiceLogonRight
                Computer Setting:  NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePermanentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TakeOwnershipPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DebugPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemTimePrivilege
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyBatchLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreateTokenPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SyncAgentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Account Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseBasePriorityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LockMemoryPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  LOCAL SERVICE
                               
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyInteractiveLogonRight
                Computer Setting:  SUPPORT_388945a0
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (if client agrees)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Network security: LAN Manager authentication level
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                Computer Setting:  2

            GPO: Default Domain Controllers Policy
                Policy:            Domain controller: LDAP server signing requirements
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Domain member: Digitally encrypt or sign secure channel data (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
 
    Last time Group Policy was applied: 1/30/2008 at 9:55:40 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Enterprise Admins
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Enable computer and user accounts to be trusted for delegation
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
Toni UranjekConsultant/TrainerCommented:
In Default Domain Controllers Policy disable the following setting: Microsoft network server: Digitally sign communications (always). Then go to command prompt and enter "gpupdate /force".

SMB signing is now disabled, Mac computers should be able to access files on your file server/domain controller.

Let me know if it works...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
talcottnetworksAuthor Commented:
Great toniur, thanks I have found this setting and will test it today.

Couple Quick Questions:
1) How does this effect the security of the network? What are the risks? How can I keep this setting disabled and secure the network in other ways.

2) Will this disable general 'Users' from having to enter admin password when installing software locally on their machine?
0
Toni UranjekConsultant/TrainerCommented:
Answer to your first question: you will expose your network to possible SMB man-in-the-middle attacks, which require special hacking tools and quite an amount of hacking experience - IMHO the same infromation can be obtained from your network much easier. :D

Two, no disabling SMB signing does not make users members of local Administrators group. This is the privilige required to install software.
0
talcottnetworksAuthor Commented:
Thanks for your help toniur. Good man.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.