asked on

Windows server 2008 / value changes

hello
we have windows 2008 server/standard edition and we have installed a network scanner and to communicate the nw scanner via network, I have done value changes as per the following :

In gpedit.msc

--Local Computer Policy
--Computer Configuration
--Windows Settings
--Security Settings
--Local Policies
--Security options
--Microsoft network server : Digitally sign communications (always) - We changed the status as disabled

But everytime when we restarts windows, the value is changing and getting it enabled.

can you please advise how to fix this value permanently disabled

Anuroopsundd

is there any Domain group policy which is over riding your value and setting it back to enabled

to check this..
when you change the value.. type below command.

rsop .. and see what policy are u getting from the Domain group policy.

sujithmd

Group policy works like this LSDOU

L - Local policy
S - Site Level policy
D - domain level policy
OU - OU level policy

with Local policy have the least and OU have the high presidence.

you can type gpresult /v in command prompt or type rsop.msc in run for gui to find the policy.

Jinesh Kumar Kochath

ASKER

Hello,
When I fired gpresult/v I got the following details :
Computer Setting: LOCAL SERVICE
Administrators
Server Operators

GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators
Print Operators

GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE

GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
Backup Operators
Account Operators
Server Operators
Print Operators

GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: Administrators
Backup Operators
Performance Log Users

GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: Everyone
Administrators
Authenticated Users
ENTERPRISE DOMAIN CONTROLLERS
Pre-Windows 2000 Compatible Access

GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Administrators
Server Operators

GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Administrators
Backup Operators
Server Operators

GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Administrators
Print Operators

GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Administrators

GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivilege
Computer Setting: Administrators

GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE

Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59059
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\
LmCompatibilityLevel
Computer Setting: 3

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59013
ValueName: MACHINE\System\CurrentControlSet\Services\NTD
S\Parameters\LDAPServerIntegrity
Computer Setting: 1

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59043
ValueName: MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\RequireSecuritySignature
Computer Setting: 1

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\EnableSecuritySignature
Computer Setting: 1

GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\
NoLMHash
Computer Setting: 1

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59018
ValueName: MACHINE\System\CurrentControlSet\Services\Net
logon\Parameters\RequireSignOrSeal
Computer Setting: 1

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=kfrshahgas,DC=com
Last time Group Policy was applied: 4/16/2012 at 8:08:06 AM
Group Policy was applied from: KFSGD.kfrshahgas.com
Group Policy slow link threshold: 500 kbps
Domain Name: KFRSHAHGAS
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Default Domain Policy
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
Schema Admins
Denied RODC Password Replication Group
High Mandatory Level

The user has the following security privileges
----------------------------------------------

Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Enable computer and user accounts to be trusted for delegation
Increase a process working set
Add workstations to domain

Resultant Set Of Policies for User
-----------------------------------

Software Installations
----------------------
N/A

Logon Scripts
-------------
N/A

Logoff Scripts
--------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
N/A

Internet Explorer Connection
----------------------------
N/A

Internet Explorer URLs
----------------------
N/A

Internet Explorer Security
--------------------------
N/A

Internet Explorer Programs
--------------------------
N/A

C:\Users\Administrator>

Anuroopsundd

GPO: Default Domain Controllers Policy
Policy: @wsecedit.dll,-59044
ValueName: MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\EnableSecuritySignature
Computer Setting: 1

Its enabled...

Jinesh Kumar Kochath

ASKER

hello
see as I told you, even though I disable this, when we restarts server, it is getting enabled

this is the issue and I need a solution for this

Anuroopsundd

Yes, but this policy is coming from Domain Controller....
are you making changes on the Domain Controller or on some server?

Jinesh Kumar Kochath

ASKER

the same computer also acts as dc, can you advise how can I change in dc

ASKER CERTIFIED SOLUTION

Anuroopsundd

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Jinesh Kumar Kochath

ASKER

hello
I am still dont know what to change there in Group policy, can you please explain how to change digitally sign communications how to disable in group policy

appreciating your help

David Johnson, CD

GPO: Default Domain Controllers Policy

this is the policy you have to change.