LmCompatibilityLevel

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Data type

Range

Default value

REG_DWORD

0–5

0

Description

Specifies the mode of authentication and session security to be used for network logons.

Value

Meaning

0

Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1

Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2

Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

Activation method

You must restart Windows to make changes to this entry effective.

Note Image Note

To set a client running Windows NT Service Pack 4 to level 3 security or higher, the domain controllers for the user's account domains must already be upgraded to Service Pack 4.

For more information about operating-system interoperability and session security settings , see the Microsoft Knowledge Base link on the Web Resources page. Search the Knowledge Base for Article Q147706 or for the keywords LM authentication.

For more information about Windows 2000 security, see the Windows 2000 Server Resource Kit Distributed Systems Guide.

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Tip Image Tip

System times should be within 30 minutes of each other. Otherwise, authentication can fail because the server might interpret the challenge from the client as having expired.