How do I fix broken trust relationships in my mixed domain after I implement the RestrictAnonymous registry setting?

A. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous registry subkey can have a value of 0, 1, or 2. The value 0 means rely on default permissions; the value 1 means don’t allow enumeration of SAM accounts and names; the value 2 means no access without explicit anonymous permissions. You can use a value of 0 or 1 on any domain controller (DC), but you should use a value of 2 only on Windows 2000 machines.

If you work in a mixed networking environment with Win2K and Windows NT 4.0 DCs, don't set the RestrictAnonymous subkey to a value of 2 on any participating DC, because doing so will break two-way trust relationships that involve NT 4.0 DCs. To correct this problem, set the subkey to a value of 0 or 1.

  1. Start regedit.
  2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
  3. Double-click RestrictAnonymous.
  4. Set the value to 0 or 1, and click OK.
  5. Close the registry editor.
  6. Break and re-establish all trust relationships.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.