We help IT Professionals succeed at work.

Mac Connected to Windows Domain

talcottnetworks
on
Hello All,

First a thanks to all the great solutions I have found on this site. Such a time saver.

Connecting Two Mac's to Windows Server 2003 Domain. I follow the instructions below and Macs are able to connect to the Shared Folder.

 open up regedit (Start > Run > "regedit" {return}), and navigate to HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ LanManServer \ Parameter \ RequireSecuritySignature, and set it's value to "0".


This works but it will not stay working. Every time I remote into the Server the Value is set back to '1'. Any idea how to make the '0' value stay '0'.

Thanks
Comment
Watch Question

Toni UranjekConsultant/Trainer

Commented:
Hi!

This settings is configured by group policy. Use "gpresult /v" on file server to determine which policy applies to your computer and then change the setting.

More information on SMB signing:

"Overview of Server Message Block signing"
http://support.microsoft.com/kb/887429

HTH

Toni

Author

Commented:
Tony,

Thanks for the quick reply.

I am not too familiar with this command. Is there a way I can change this setting manually in Group Policy and it will stick?

Thanks.
Toni UranjekConsultant/Trainer

Commented:
Yes, but first you have to find out which policy object is applied. Use "gpresult /v > gpo.log", upload gpo.log here and I will give you detalied instructions.

Right now I believe that your registry change is being overwritten by policy setting.

Author

Commented:
If you could give me detailed instructions in regards to this I would appreciate it. I know its annoying, I am just not familiar with the process.
Toni UranjekConsultant/Trainer

Commented:
Go to file server, Start, Run, cmd, Enter. Type: "gpresult /v > gpo.txt". Then post gpo.txt file here. You van remove all security sensitive information, like domain name or computer names and leave only computer part of configuration.

Author

Commented:
Here you go toniur: Thanks for your help.




Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/30/2008 at 10:26:00 AM



RSOP data for: Logging Mode
-------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
   
    Last time Group Policy was applied: 1/30/2008 at 10:25:13 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        HPS_SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaxServiceAge
                Computer Setting:  600

            GPO: Default Domain Policy
                Policy:            MaxTicketAge
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            MaxClockSkew
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

            GPO: Default Domain Policy
                Policy:            MaxRenewAge
                Computer Setting:  7

        Audit Policy
        ------------
            GPO: Default Domain Controllers Policy
                Policy:            AuditPolicyChange
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilegeUse
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditDSAccess
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditObjectAccess
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountManage
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditProcessTracking
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditSystemEvents
                Computer Setting:  Success

        User Rights
        -----------
            GPO: Default Domain Controllers Policy
                Policy:            MachineAccountPrivilege
                Computer Setting:  Authenticated Users
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyNetworkLogonRight
                Computer Setting:  DHG\SUPPORT_388945a0
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RestorePrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TcbPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyServiceLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ServiceLogonRight
                Computer Setting:  NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePermanentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TakeOwnershipPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DebugPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemTimePrivilege
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyBatchLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreateTokenPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SyncAgentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Account Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseBasePriorityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LockMemoryPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  LOCAL SERVICE
                               
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyInteractiveLogonRight
                Computer Setting:  SUPPORT_388945a0
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (if client agrees)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Network security: LAN Manager authentication level
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                Computer Setting:  2

            GPO: Default Domain Controllers Policy
                Policy:            Domain controller: LDAP server signing requirements
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Domain member: Digitally encrypt or sign secure channel data (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
 
    Last time Group Policy was applied: 1/30/2008 at 9:55:40 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Enterprise Admins
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Enable computer and user accounts to be trusted for delegation
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
Consultant/Trainer
Commented:
In Default Domain Controllers Policy disable the following setting: Microsoft network server: Digitally sign communications (always). Then go to command prompt and enter "gpupdate /force".

SMB signing is now disabled, Mac computers should be able to access files on your file server/domain controller.

Let me know if it works...

Author

Commented:
Great toniur, thanks I have found this setting and will test it today.

Couple Quick Questions:
1) How does this effect the security of the network? What are the risks? How can I keep this setting disabled and secure the network in other ways.

2) Will this disable general 'Users' from having to enter admin password when installing software locally on their machine?
Toni UranjekConsultant/Trainer

Commented:
Answer to your first question: you will expose your network to possible SMB man-in-the-middle attacks, which require special hacking tools and quite an amount of hacking experience - IMHO the same infromation can be obtained from your network much easier. :D

Two, no disabling SMB signing does not make users members of local Administrators group. This is the privilige required to install software.

Author

Commented:
Thanks for your help toniur. Good man.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.