2 questions

Hi,

I'm not sure if my (below) questions would rather be asked on some other
newsgroup.

I have 2 questions on Domain Security Policy in Active Directory:

1. Is it possible to configure list of Windows Firewall exception rules (via
domain GPO) - and have those settings propagate to all client PCs?
2. There's NoLMHash setting in GPO - this prevents user passwords from being
stored using (weak) LMHash encryption. When this policy is set and new
passwords are created, they're no longer stored using LMHash encryption (but
rather using stronger NT encryption). However, this policy setting doesn't
apply retroactively: if some passwords were stored using LMHash before the
policy setting was applied, they will continue to be stored via LMHash even
after the policy setting was applied. Is there a way to force Windows
clients to recreate password hashes for existing passwords: so that
encryption method changed from LMHash to NTHash?

Thanks,
B.

I am not sure the second question. You can setup Windows Firewall exception
rules in domain GPO. This post may help:
Windows Firewall Group Policy settings for the domain -
http://chicagotech.net/netforums/vie...69fbe240c5961e

--
Bob Lin, Microsoft-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Boris" <> wrote in message
news:4b997d38$0$22092$...
> Hi,
>
> I'm not sure if my (below) questions would rather be asked on some other
> newsgroup.
>
> I have 2 questions on Domain Security Policy in Active Directory:
>
> 1. Is it possible to configure list of Windows Firewall exception rules
> (via domain GPO) - and have those settings propagate to all client PCs?
> 2. There's NoLMHash setting in GPO - this prevents user passwords from
> being stored using (weak) LMHash encryption. When this policy is set and
> new passwords are created, they're no longer stored using LMHash
> encryption (but rather using stronger NT encryption). However, this policy
> setting doesn't apply retroactively: if some passwords were stored using
> LMHash before the policy setting was applied, they will continue to be
> stored via LMHash even after the policy setting was applied. Is there a
> way to force Windows clients to recreate password hashes for existing
> passwords: so that encryption method changed from LMHash to NTHash?
>
> Thanks,
> B.

Question #2: Just force a password change on the users and the LM
Hashes will be removed when they change their passwords. You can use
another GPO to force the password change.

John


Boris wrote:
> Hi,
>
> I'm not sure if my (below) questions would rather be asked on some other
> newsgroup.
>
> I have 2 questions on Domain Security Policy in Active Directory:
>
> 1. Is it possible to configure list of Windows Firewall exception rules
> (via domain GPO) - and have those settings propagate to all client PCs?
> 2. There's NoLMHash setting in GPO - this prevents user passwords from
> being stored using (weak) LMHash encryption. When this policy is set and
> new passwords are created, they're no longer stored using LMHash
> encryption (but rather using stronger NT encryption). However, this
> policy setting doesn't apply retroactively: if some passwords were
> stored using LMHash before the policy setting was applied, they will
> continue to be stored via LMHash even after the policy setting was
> applied. Is there a way to force Windows clients to recreate password
> hashes for existing passwords: so that encryption method changed from
> LMHash to NTHash?
>
> Thanks,
> B.