Mac Connected to Windows Domain

Hello All,

First a thanks to all the great solutions I have found on this site. Such a time saver.

Connecting Two Mac's to Windows Server 2003 Domain. I follow the instructions below and Macs are able to connect to the Shared Folder.

 open up regedit (Start > Run > "regedit" {return}), and navigate to HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ LanManServer \ Parameter \ RequireSecuritySignature, and set it's value to "0".


This works but it will not stay working. Every time I remote into the Server the Value is set back to '1'. Any idea how to make the '0' value stay '0'.

Thanks
talcottnetworksAsked:
Who is Participating?
 
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
In Default Domain Controllers Policy disable the following setting: Microsoft network server: Digitally sign communications (always). Then go to command prompt and enter "gpupdate /force".

SMB signing is now disabled, Mac computers should be able to access files on your file server/domain controller.

Let me know if it works...
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

This settings is configured by group policy. Use "gpresult /v" on file server to determine which policy applies to your computer and then change the setting.

More information on SMB signing:

"Overview of Server Message Block signing"
http://support.microsoft.com/kb/887429

HTH

Toni
0
 
talcottnetworksAuthor Commented:
Tony,

Thanks for the quick reply.

I am not too familiar with this command. Is there a way I can change this setting manually in Group Policy and it will stick?

Thanks.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Toni UranjekConsultant/TrainerCommented:
Yes, but first you have to find out which policy object is applied. Use "gpresult /v > gpo.log", upload gpo.log here and I will give you detalied instructions.

Right now I believe that your registry change is being overwritten by policy setting.
0
 
talcottnetworksAuthor Commented:
If you could give me detailed instructions in regards to this I would appreciate it. I know its annoying, I am just not familiar with the process.
0
 
Toni UranjekConsultant/TrainerCommented:
Go to file server, Start, Run, cmd, Enter. Type: "gpresult /v > gpo.txt". Then post gpo.txt file here. You van remove all security sensitive information, like domain name or computer names and leave only computer part of configuration.
0
 
talcottnetworksAuthor Commented:
Here you go toniur: Thanks for your help.




Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/30/2008 at 10:26:00 AM



RSOP data for: Logging Mode
-------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
   
    Last time Group Policy was applied: 1/30/2008 at 10:25:13 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        HPS_SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaxServiceAge
                Computer Setting:  600

            GPO: Default Domain Policy
                Policy:            MaxTicketAge
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            MaxClockSkew
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

            GPO: Default Domain Policy
                Policy:            MaxRenewAge
                Computer Setting:  7

        Audit Policy
        ------------
            GPO: Default Domain Controllers Policy
                Policy:            AuditPolicyChange
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilegeUse
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditDSAccess
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditObjectAccess
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditAccountManage
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Success

            GPO: Default Domain Controllers Policy
                Policy:            AuditProcessTracking
                Computer Setting:  No Auditing

            GPO: Default Domain Controllers Policy
                Policy:            AuditSystemEvents
                Computer Setting:  Success

        User Rights
        -----------
            GPO: Default Domain Controllers Policy
                Policy:            MachineAccountPrivilege
                Computer Setting:  Authenticated Users
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyNetworkLogonRight
                Computer Setting:  DHG\SUPPORT_388945a0
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RestorePrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TcbPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyServiceLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ServiceLogonRight
                Computer Setting:  NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePermanentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TakeOwnershipPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DebugPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemTimePrivilege
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyBatchLogonRight
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreateTokenPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SyncAgentPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Account Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseBasePriorityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LockMemoryPrivilege
                Computer Setting:  N/A

            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  LOCAL SERVICE
                               
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DenyInteractiveLogonRight
                Computer Setting:  SUPPORT_388945a0
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (if client agrees)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Network security: LAN Manager authentication level
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                Computer Setting:  2

            GPO: Default Domain Controllers Policy
                Policy:            Domain controller: LDAP server signing requirements
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Domain member: Digitally encrypt or sign secure channel data (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            Microsoft network server: Digitally sign communications (always)
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
 
    Last time Group Policy was applied: 1/30/2008 at 9:55:40 AM
    Group Policy was applied from:    
    Group Policy slow link threshold:   500 kbps
    Domain Name:                      
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Enterprise Admins
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Enable computer and user accounts to be trusted for delegation
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
 
talcottnetworksAuthor Commented:
Great toniur, thanks I have found this setting and will test it today.

Couple Quick Questions:
1) How does this effect the security of the network? What are the risks? How can I keep this setting disabled and secure the network in other ways.

2) Will this disable general 'Users' from having to enter admin password when installing software locally on their machine?
0
 
Toni UranjekConsultant/TrainerCommented:
Answer to your first question: you will expose your network to possible SMB man-in-the-middle attacks, which require special hacking tools and quite an amount of hacking experience - IMHO the same infromation can be obtained from your network much easier. :D

Two, no disabling SMB signing does not make users members of local Administrators group. This is the privilige required to install software.
0
 
talcottnetworksAuthor Commented:
Thanks for your help toniur. Good man.
0
All Courses

From novice to tech pro — start learning today.