This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
If I want to enforce the use of NTLMv2 with the below GPO settings do I have to apply this to both the domain controller and the clients ?
It seems like if I only apply this to the client then when I reboot the client I get the warning below.
Or..... If I only apply this to the domain controllers will that force all the clients to use NTLMv2 when they authenticate with the domain controller ?
Thanks for any reply
/R
Andy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 43%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Yes you have to apply to DC's, clients, servers, all objects basically. This is the internal server setting. So the GPO that applies to clients is for the client receiving NTLM requests, how the client handles them. The GPO on DCs is for the DC receiving NTLM requests, how the DC handles them..
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Maybe this one helps.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi,
Thanks for the reply, but not the answer I was looking for I belive.
The link you refer to is "Network Security: Restrict NTLM: NTLM authentication in this domain", and since I want to only use NTLMv2 It would be enough to configure "Network security: LAN Manager authentication level - Send NTLMv2 responses only. Refuse LM & NTLM", am I not wrong ?
If I don't understand correctly, the link you provide is an exception, so that I can list some computers to be allowed with NTLM?
But again, my question is "If I want to enforce the use of NTLMv2 with the below GPO settings do I have to apply this to both the domain controller and the clients ? Or I might not understand this correctly so please explain :)
Thanks again for answers.
/R
Andy
Hi,
Thanks for reply @Scott Dawson
If I deploy it to the domain controller, then I guess all clients will be affected right away ? I would like to implement this in segments, say 50 and 50 machines, but I guess that would not work since I have to deploy it on the domain controllers for the system to work ? Right ?
I know I can implement logging, So I guess I would have to do that first.....
comments ?
/R
Andy
I deployed this 1 DC at a time using AD site boundaries to mitigate risk to only those clients. There are still random hits to the DC but atleast this is a quick way to figure out which apps aren’t compatible and have a quick recovery if needed. Once DCs were completed, it was easy to do servers, then workstations.
Hi,
Thanks for making things more clear...
Not sure about the AD site boundaries, we only have 3 sites, 1 site with 2 DCs, and the other 2 sites with 1 DC in each.
The site that has 2 DCs have around 500-600 servers, and 100 clients.
You say "Only DCs were completed", I thought that If I applied the GPO settings on 1 domain controller, and if a server has an application that uses this domain controller for authentication and does not support it, it will fail ? Or am I missing something here ? I dont want to implement this on the DC, and suddenly we have problems with 200+ servers :(
Thanks again for helping me understand, not my best field...
/R
Andy