Network access: Do not allow anonymous enumeration of SAM accounts

Network access: Do not allow anonymous enumeration of SAM accounts

This security setting determines what additional permissions will be granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

This security option allows additional restrictions to be placed on anonymous connections as follows:

Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No additional restrictions. Rely on default permissions.

Default on workstations: Enabled.
Default on server:Disabled.

Important

This policy has no impact on domain controllers.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Comments: 

Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM

Reboot required: 

No

Related content