Not defined state of the `Network security: Restrict NTLM: NTLM authentication in this domain` GPO

bahrep

4/1/23, 11:37 PM

Is NTLM by default disabled on domain controllers with Windows Server 2019?

My current tests show that the GPO Network security: Restrict NTLM: NTLM authentication in this domain does not work as documented. When this GPO is Not defined, NTLM does not work, and I see errors in Windows Security log:

Status: 0x80090302
Sub Status: 0xC0000418

Status 0xC0000418 translates to STATUS_NTLM_BLOCKED (The authentication failed because NTLM was blocked).

However, if I change GPO to Disable, NTLM works again.

The documentation says that when "Not defined" "The domain controller will allow all NTLM authentication requests in the domain where the policy is deployed.". So I was assuming that I don't need to change group policies to enable NTLM.

OS Name Microsoft Windows Server 2019 Standard

Version 10.0.17763 Build 17763

179

0 + 0

windows

group-policy

ntlm

windows-server-2019

Ivan Zhakov

4/2/23, 11:45 AM

Did you check Default Domain Policy and Default Domain Domain Controllers Policy? Group Policy Modeling wizard may be also helpfull to find actual applied policy.

bahrep

4/2/23, 12:05 PM

I've checked with GPRESULT and gpmc and now I don't see any relevant security policies enabled (i.e. defined). I see only these two: `Network security: Do not store LAN Manager hash value on next password change Enabled` and `Network security: Force logoff when logon hours expire Disabled`.

Score:0

Server

bahrep

4/6/23, 7:19 PM

I overlooked that the server computers had a Local Security Policy that disabled NTLM. NTLM works again after removing this policy.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Not defined state of the `Network security: Restrict NTLM: NTLM authentication in this domain` GPO

TH: ไม่ได้กำหนดสถานะของ `ความปลอดภัยเครือข่าย: จำกัด NTLM: การรับรองความถูกต้อง NTLM ในโดเมนนี้' GPO

RO: Starea nedefinită a GPO-ului „Securitate rețelei: Restricționați NTLM: autentificare NTLM în acest domeniu”

RU: Не определено состояние объекта групповой политики «Сетевая безопасность: ограничение NTLM: проверка подлинности NTLM в этом домене».

VI: Trạng thái không được xác định của `An ninh mạng: Hạn chế NTLM: xác thực NTLM trong miền này` GPO

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.