The Security Configuration Wizard reduces the LMCompatibilityLevel value after you apply a security template on a Windows Server 2003-based computer (897618)

MORE INFORMATION

The Security Configuration Wizard prompts you with a series of questions to help you configure the highest possible value for some security options, based on the needs of the environment that you specify. If you specify that downlevel compatibility is required when you answer these questions, the Security Configuration Wizard reduces the existing LMCompatibilityLevel value setting.

The particular Security Configuration Wizard options that affect the LMCompatibilityLevel value are on the Outbound Authentication using Domain Accounts page. By default, the Clocks that are synchronized with the selected server's clock check box is not selected.

Note Synchronization is required for NTLM version 2 (NTLMv2). Older systems do not use clock synchronization.

If you click to select the Clocks that are synchronized with the selected server's clock check box, the Security Configuration Wizard displays the Inbound Authentication Methods page when you click Next. By default, the downlevel compatibility mode check boxes are selected on the Inbound Authentication Methods page.

Note The downlevel compatibility mode check boxes are the Computers that require LAN Manager authentication check box and the Computers that have not been configured to use NTLMv2 authentication check box.

If you do not change these default settings, the Security Configuration Wizard may reduce the LMCompatibilityLevel value. If the Security Configuration Wizard reduces the LMCompatibilityLevel value, the following conditions may occur:

• If you do not indicate that your environment has clock synchronization, the LMCompatibilityLevel value is set to 2.
• If you indicate that your environment has clock synchronization, and you click to select the Computers that require LAN Manager authentication check box, the LMCompatibilityLevel value is set to 3.
• If you indicate that your environment has clock synchronization, and you click to select the Computers that have not been configured to use NTLMv2 authentication check box, the LMCompatibilityLevel value is set to 4.
• If you require clock synchronization, and you do not click to select the Computers that require LAN Manager authentication check box and the Computers that have not been configured to use NTLMv2 authentication check box, the LMCompatibilityLevel value set to 5.
  
  Note An LMCompatibilityLevel value of 5 is the highest possible value.

If the network only uses Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, indicate that your environment uses clock synchronization. Also, click to clear the two downlevel compatibility mode check boxes to obtain the highest LMCompatibilityLevel value.

The LMCompatibilityLevel value specifies the authentication protocols that two computers that are running Windows operating systems can use when they authenticate to each other.