I want to change the registry setting for restrictanonymous to "2" (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous). I created a script to do this but noticed the setting kept on going back to "1". Found out that there is a GPO in our organization that is setting "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to Enabled. This would allow the setting to be "1".
I have looked everywhere and the only thing I can find that changes this to 2 is another GPO called "Select \Security Settings\Local Policies\Additional restrictions for anonymous connections\"......but this does not exist in Windows Server 2008 GPO (nor 2012)...
I know that the current setting of "1" is far from fine but we have been pretty much forced by security to set this to "2". Is there anyway of setting this in GPO to "2"? The existing GPO only sets it to "1" when enabled.
What makes matters worse is that it is a default domain policy - ie the highest policy and out organization is huge so doubt I can ever get that changed. I want to apply this to all servers (talking about thousands of them).