Network access: Allow anonymous SID/Name translation
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Description
Determines if an anonymous user can request security identifier (SID) attributes for another user.
If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name.
Default:
| • | Disabled on workstations. |
| • | Enabled on server. |
Note
| • | For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (i.e., member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. |
For more information, see:
| • |
