Friday, August 17, 2007 3:39 PM
We are running a 2003 domain with all DC’s running Windows 2003 SP1, 10 Windows 2003 SP1 member servers and 1 Windows 2000 SP4 member server. I have several hundred w2k SP4 and XP SP2 PC’s on my domain that I want to increase the security level on.
About 4 years ago we adjusted some GPO settings to allow Windows 98 PC’s to work on the domain, but these PC’s are long gone so I want to change these settings under our Default Global Domain Policy | security settings/local policies/security options –
"Microsoft network Client: Digitally sign communications (always)", currently disabled.
"Microsoft network server: Digitally sign communications (always)" currently disabled.
“Network access: Allow anonymous SID/Name translation” currently not configured
I want to secure the server to server communications and require secure server to client communications by changing the 2 disabled settings to force and enable the SID setting.
My problem is that since this is at the domain level it is going to be impossible to test the impact these changes will have. Does anyone know what will happen? Will the servers and PC’s make the change without drama or will this cause AD access and logon issues? I have read http://support.microsoft.com/kb/823659 and can’t see any compatibility issues for my setup, so I am mainly worried about what the users will experience after I make the change.
Friday, August 17, 2007 4:31 PM
You can rollout the settings gradually by using following steps:
- Create a temporary OU and link a GPO with enchanced security options to this new OU
- Move some computer accounts or servers into this OU
- Once you confirm that computer accounts in this temporary OU do not face any problem, link the GPO to the root of the domain/your computer account's OU.
Sunday, August 19, 2007 2:21 PM
I thought the domain level policy that has the settings in question forced to "disable' would over ride any other GPO's settings...
The servers will still be under control of the domain level policy, will they be able to talk to the test PC's without issue in this testing method of yours?
Wednesday, September 05, 2007 3:51 PMModerator
Correct. You could create a new test GPO, assign it to a test OU, and test it. Once you are comfortable with the changes, you can add it to the default domain policy or link you test GPO to the the root OU.