A. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous registry subkey can have a value of 0, 1, or 2. The value 0 means rely on default permissions; the value 1 means don’t allow enumeration of SAM accounts and names; the value 2 means no access without explicit anonymous permissions. You can use a value of 0 or 1 on any domain controller (DC), but you should use a value of 2 only on Windows 2000 machines.
If you work in a mixed networking environment with Win2K and Windows NT 4.0 DCs, don't set the RestrictAnonymous subkey to a value of 2 on any participating DC, because doing so will break two-way trust relationships that involve NT 4.0 DCs. To correct this problem, set the subkey to a value of 0 or 1.
- Start regedit.
- Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
- Double-click RestrictAnonymous.
- Set the value to 0 or 1, and click OK.
- Close the registry editor.
- Break and re-establish all trust relationships.
