none
Null Session Group Policy Not Working

    Question

  • Hi All,

    I've applied the following group policies

    Disabled: 

    Network access: Allow anonymous SID/Name translation
    Network access: Let Everyone permissions apply to anonymous users 

    Enabled:

    Network access: Do not allow anonymous enumeration of SAM accounts
    Network access: Do not allow anonymous enumeration of SAM accounts and shares 

    Leave Empty:

    Network access: Named Pipes that can be accessed anonymously
    Network access: Shares that can be accessed anonymously 

    I've tested RSOP and I do see these policies being applied (Grayed out with the options set) but when I do a 

    net use \\host_name_or_IP_address\ipc$ "" "/user:"

    I still get a "The command completed successfully."

    I am tearing my head out trying to figure out why this isn't working. Should I look at any other policies that might be turned on to see if it is interfering with these policies? 

    I tried to unjoin the server from the domain, clear out security policies, and apply local policies, but it is still not working. 

    Any ideas?

    Monday, June 22, 2015 1:39 PM

Answers

  • Hi Armourd,

    Would you please check the registry if the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous exist and the Dword value set as 2?

    You can check the below link for more reference:

    https://support.microsoft.com/en-us/kb/246261

    WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may  require you to reinstall your operating system. Microsoft cannot guarantee that you can solve  problems that result from using Registry Editor incorrectly. Use Registry Editor at your own  risk.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 29, 2015 2:03 AM
    Moderator

All replies

  • Also,

    For the following 

    Leave Empty:

    Network access: Named Pipes that can be accessed anonymously
    Network access: Shares that can be accessed anonymously 

    I've gone in and left it empty, which sets it at "not defined" and i've also gone in, checked the box "define this policy setting in the template", cleared out everything and put "Null" inside.

    Still doesn't work.


    Monday, June 22, 2015 1:44 PM
  • Hi Armourd,

    Would you please check the registry if the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous exist and the Dword value set as 2?

    You can check the below link for more reference:

    https://support.microsoft.com/en-us/kb/246261

    WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may  require you to reinstall your operating system. Microsoft cannot guarantee that you can solve  problems that result from using Registry Editor incorrectly. Use Registry Editor at your own  risk.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 29, 2015 2:03 AM
    Moderator
  • It did not help.

    I still get a "The command completed successfully."

    Tuesday, September 22, 2015 7:42 PM