A. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous registry subkey can have a value of 0, 1, or 2. The value 0 means rely on default permissions; the value 1 means don’t allow enumeration of SAM accounts and names; the value 2 means no access without explicit anonymous permissions. You can use a value of 0 or 1 on any domain controller (DC), but you should use a value of 2 only on Windows 2000 machines.

If you work in a mixed networking environment with Win2K and Windows NT 4.0 DCs, don't set the RestrictAnonymous subkey to a value of 2 on any participating DC, because doing so will break two-way trust relationships that involve NT 4.0 DCs. To correct this problem, set the subkey to a value of 0 or 1.

  1. Start regedit.
  2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
  3. Double-click RestrictAnonymous.
  4. Set the value to 0 or 1, and click OK.
  5. Close the registry editor.
  6. Break and re-establish all trust relationships.