Jinesh Kumar Kochath
asked on
Windows server 2008 / value changes
hello
we have windows 2008 server/standard edition and we have installed a network scanner and to communicate the nw scanner via network, I have done value changes as per the following :
In gpedit.msc
--Local Computer Policy
--Computer Configuration
--Windows Settings
--Security Settings
--Local Policies
--Security options
--Microsoft network server : Digitally sign communications (always) - We changed the status as disabled
But everytime when we restarts windows, the value is changing and getting it enabled.
can you please advise how to fix this value permanently disabled
we have windows 2008 server/standard edition and we have installed a network scanner and to communicate the nw scanner via network, I have done value changes as per the following :
In gpedit.msc
--Local Computer Policy
--Computer Configuration
--Windows Settings
--Security Settings
--Local Policies
--Security options
--Microsoft network server : Digitally sign communications (always) - We changed the status as disabled
But everytime when we restarts windows, the value is changing and getting it enabled.
can you please advise how to fix this value permanently disabled
Group policy works like this LSDOU
L - Local policy
S - Site Level policy
D - domain level policy
OU - OU level policy
with Local policy have the least and OU have the high presidence.
you can type gpresult /v in command prompt or type rsop.msc in run for gui to find the policy.
L - Local policy
S - Site Level policy
D - domain level policy
OU - OU level policy
with Local policy have the least and OU have the high presidence.
you can type gpresult /v in command prompt or type rsop.msc in run for gui to find the policy.
ASKER
Hello,
When I fired gpresult/v I got the following details :
Computer Setting: LOCAL SERVICE
Administrators
Server Operators
GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators
Print Operators
GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Backup Operators
Account Operators
Server Operators
Print Operators
GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: Administrators
Backup Operators
Performance Log Users
GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: Everyone
Administrators
Authenticated Users
ENTERPRISE DOMAIN CONTROLLERS
Pre-Windows 2000 Compatible Access
GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Administrators
Server Operators
GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators
GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Administrators
Print Operators
GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Administrators
GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivil ege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivileg e
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo rd
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59059
ValueName: MACHINE\System\CurrentCont rolSet\Con trol\Lsa\
LmCompatibilityLevel
Computer Setting: 3
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59013
ValueName: MACHINE\System\CurrentCont rolSet\Ser vices\NTD
S\Parameters\LDAPServerInt egrity
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59043
ValueName: MACHINE\System\CurrentCont rolSet\Ser vices\Lan
ManServer\Parameters\Requi reSecurity Signature
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentCont rolSet\Ser vices\Lan
ManServer\Parameters\Enabl eSecurityS ignature
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentCont rolSet\Con trol\Lsa\
NoLMHash
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59018
ValueName: MACHINE\System\CurrentCont rolSet\Ser vices\Net
logon\Parameters\RequireSi gnOrSeal
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Administrator,CN=Users, DC=kfrshah gas,DC=com
Last time Group Policy was applied: 4/16/2012 at 8:08:06 AM
Group Policy was applied from: KFSGD.kfrshahgas.com
Group Policy slow link threshold: 500 kbps
Domain Name: KFRSHAHGAS
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
N/A
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
Schema Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
-------------------------- ---------- ----------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Enable computer and user accounts to be trusted for delegation
Increase a process working set
Add workstations to domain
Resultant Set Of Policies for User
-------------------------- ---------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
-------------------------- ---------- ----
N/A
Internet Explorer Connection
-------------------------- --
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
C:\Users\Administrator>
When I fired gpresult/v I got the following details :
Computer Setting: LOCAL SERVICE
Administrators
Server Operators
GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators
Print Operators
GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Backup Operators
Account Operators
Server Operators
Print Operators
GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: Administrators
Backup Operators
Performance Log Users
GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: Everyone
Administrators
Authenticated Users
ENTERPRISE DOMAIN CONTROLLERS
Pre-Windows 2000 Compatible Access
GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Administrators
Server Operators
GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators
GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Administrators
Print Operators
GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Administrators
GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivil
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivileg
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59059
ValueName: MACHINE\System\CurrentCont
LmCompatibilityLevel
Computer Setting: 3
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59013
ValueName: MACHINE\System\CurrentCont
S\Parameters\LDAPServerInt
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59043
ValueName: MACHINE\System\CurrentCont
ManServer\Parameters\Requi
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentCont
ManServer\Parameters\Enabl
Computer Setting: 1
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentCont
NoLMHash
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59018
ValueName: MACHINE\System\CurrentCont
logon\Parameters\RequireSi
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Administrator,CN=Users,
Last time Group Policy was applied: 4/16/2012 at 8:08:06 AM
Group Policy was applied from: KFSGD.kfrshahgas.com
Group Policy slow link threshold: 500 kbps
Domain Name: KFRSHAHGAS
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
Schema Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
--------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Enable computer and user accounts to be trusted for delegation
Increase a process working set
Add workstations to domain
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
C:\Users\Administrator>
GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentCont rolSet\Ser vices\Lan
ManServer\Parameters\Enabl eSecurityS ignature
Computer Setting: 1
Its enabled...
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentCont
ManServer\Parameters\Enabl
Computer Setting: 1
Its enabled...
ASKER
hello
see as I told you, even though I disable this, when we restarts server, it is getting enabled
this is the issue and I need a solution for this
see as I told you, even though I disable this, when we restarts server, it is getting enabled
this is the issue and I need a solution for this
Yes, but this policy is coming from Domain Controller....
are you making changes on the Domain Controller or on some server?
are you making changes on the Domain Controller or on some server?
ASKER
the same computer also acts as dc, can you advise how can I change in dc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello
I am still dont know what to change there in Group policy, can you please explain how to change digitally sign communications how to disable in group policy
appreciating your help
I am still dont know what to change there in Group policy, can you please explain how to change digitally sign communications how to disable in group policy
appreciating your help
GPO: Default Domain Controllers Policy
this is the policy you have to change.
this is the policy you have to change.
to check this..
when you change the value.. type below command.
rsop .. and see what policy are u getting from the Domain group policy.