Windows server 2008 / value changes

Jinesh Kumar Kochath
Jinesh Kumar Kochath used Ask the Experts™
on
hello
we  have windows 2008 server/standard edition and we have installed a network scanner and to communicate the nw scanner via network, I have done value changes as per the following :

In gpedit.msc

--Local Computer Policy
    --Computer Configuration
             --Windows Settings
                  --Security Settings
                      --Local Policies
                         --Security options
                             --Microsoft network server : Digitally sign communications (always)  - We changed the status as disabled

But everytime when we restarts windows, the value is changing and getting it enabled.

can you please advise how to fix this value permanently disabled
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
is there any Domain group policy which is over riding your value and setting it back to enabled

to check this..
when you change the value.. type below command.

rsop .. and see what policy are u getting from the Domain group policy.

Commented:
Group policy works like this LSDOU

L - Local policy
S - Site Level policy
D - domain level policy
OU - OU level policy

with Local policy have the least and OU have the high presidence.  

you can type gpresult /v in command prompt or type rsop.msc in run for gui to find the policy.
Jinesh Kumar KochathRegional IT Manager

Author

Commented:
Hello,
When I fired gpresult/v I got the following details :
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE

            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Account Operators
                                   Server Operators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Performance Log Users

            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access

            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators

            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59059
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\
LmCompatibilityLevel
                Computer Setting:  3

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59013
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTD
S\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59043
                ValueName:         MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59044
                ValueName:         MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\
NoLMHash
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59018
                ValueName:         MACHINE\System\CurrentControlSet\Services\Net
logon\Parameters\RequireSignOrSeal
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=kfrshahgas,DC=com
    Last time Group Policy was applied: 4/16/2012 at 8:08:06 AM
    Group Policy was applied from:      KFSGD.kfrshahgas.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        KFRSHAHGAS
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Enable computer and user accounts to be trusted for delegation
        Increase a process working set
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

C:\Users\Administrator>
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59044
                ValueName:         MACHINE\System\CurrentControlSet\Services\Lan
ManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1



Its enabled...
Jinesh Kumar KochathRegional IT Manager

Author

Commented:
hello
see as I told you, even though I disable this, when we restarts server, it is getting enabled

this is the issue and I need a solution for this
Yes, but this policy is coming from Domain Controller....
are you making changes on the Domain Controller or on some server?
Jinesh Kumar KochathRegional IT Manager

Author

Commented:
the same computer also acts as dc, can you advise how can I change in dc
You have to do this from Group policy management console.

Click on Start -> Administrative Tools -> Group policy Management



See below link for more details...

http://trycatch.be/blogs/roggenk/archive/2007/07/25/windows-server-2008-amp-group-policy-management-console-gpmc.aspx
Jinesh Kumar KochathRegional IT Manager

Author

Commented:
hello
I am still dont know what to change there in Group policy, can you please explain how to change digitally sign communications how to disable in group policy

appreciating your help
Top Expert 2016

Commented:
GPO: Default Domain Controllers Policy

this is the policy you have to change.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial