Microsoft KB Archive/897618

= The Security Configuration Wizard reduces the LMCompatibilityLevel value after you apply a security template on a Windows Server 2003-based computer =

Article ID: 897618

Article Last Modified on 12/28/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



SYMPTOMS
The Security Configuration Wizard reduces the local area network (LAN) manager compatibility level (LMCompatibilityLevel) value after you apply a security template on a Microsoft Windows Server 2003-based computer where you previously configured the LMCompatibilityLevel value.



CAUSE
This issue occurs if the settings that you select on the Security Configuration Wizard indicate that the new LMCompatibilityLevel value must be lower than the existing LMCompatibilityLevel value for interoperability.



RESOLUTION
To resolve this issue, rerun the Security Configuration Wizard. Select the more-secure settings that correspond to the appropriate LMCompatibilityLevel value.



MORE INFORMATION
The Security Configuration Wizard prompts you with a series of questions to help you configure the highest possible value for some security options, based on the needs of the environment that you specify. If you specify that downlevel compatibility is required when you answer these questions, the Security Configuration Wizard reduces the existing LMCompatibilityLevel value setting.

The particular Security Configuration Wizard options that affect the LMCompatibilityLevel value are on the Outbound Authentication using Domain Accounts page. By default, the Clocks that are synchronized with the selected server's clock check box is not selected.

Note Synchronization is required for NTLM version 2 (NTLMv2). Older systems do not use clock synchronization.

If you click to select the Clocks that are synchronized with the selected server's clock check box, the Security Configuration Wizard displays the Inbound Authentication Methods page when you click Next. By default, the downlevel compatibility mode check boxes are selected on the Inbound Authentication Methods page.

Note The downlevel compatibility mode check boxes are the Computers that require LAN Manager authentication check box and the Computers that have not been configured to use NTLMv2 authentication check box.

If you do not change these default settings, the Security Configuration Wizard may reduce the LMCompatibilityLevel value. If the Security Configuration Wizard reduces the LMCompatibilityLevel value, the following conditions may occur:
 * If you do not indicate that your environment has clock synchronization, the LMCompatibilityLevel value is set to 2.
 * If you indicate that your environment has clock synchronization, and you click to select the Computers that require LAN Manager authentication check box, the LMCompatibilityLevel value is set to 3.
 * If you indicate that your environment has clock synchronization, and you click to select the Computers that have not been configured to use NTLMv2 authentication check box, the LMCompatibilityLevel value is set to 4.
 * If you require clock synchronization, and you do not click to select the Computers that require LAN Manager authentication check box and the Computers that have not been configured to use NTLMv2 authentication check box, the LMCompatibilityLevel value set to 5.

Note An LMCompatibilityLevel value of 5 is the highest possible value.

If the network only uses Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, indicate that your environment uses clock synchronization. Also, click to clear the two downlevel compatibility mode check boxes to obtain the highest LMCompatibilityLevel value.

The LMCompatibilityLevel value specifies the authentication protocols that two computers that are running Windows operating systems can use when they authenticate to each other.

