應用程式/解決方案‎ > ‎雜記‎ > ‎專題‎ > ‎應用‎ > ‎

使Windows區域網路(網路芳鄰)相容WindowsXP


步驟1. 修改 HKLM\SYSTEM\CurrentControlSet\Control\Lsa 登錄值 LmCompatibilityLevel 為 1 (DWORD)
步驟2. 重新開機
大部分說明都漏了重新開機這一點(另外還有IPsec的原則問題須注意,可參考挖礦程序與網芳設置),
然後因為沒效果就亂改很多不相干的部分, 很多網芳的設定都是胡說八道的,
其實真的只需改 LmCompatibilityLevel 為 1 就可以了! 其他網芳概念都與XP相同

反過來說也可以修改XP來相容其他的Windows, 一樣把 LmCompatibilityLevel 修改為 1(記得重新開機),
如XP修改後無效,可檢查是否有安裝KB922120:連結層拓撲探索 (LLTD) 回應程式(微軟已不提供XP服務,請自行Google)
不過觀察Win10和WinXP一樣, 預設都沒有LmCompatibilityLevel這個鍵值, 那麼都是預設值為 0 (使用 LM and NTLM 拒絕 NTLMv2),
所以相對有問題的反而Win7和Vista, 因此以往後的相容性來看, 調整Win7和Vista比較妥當

透過介面(若有)修改的方式, 以Win7為例
執行 gpedit.msc 或 secpol.msc
或於 控制台|系統管理工具|本機安全性原則 中進行修改, 如圖中內容


資料來源
http://technet.microsoft.com/zh-tw/library/cc960646.aspx

LmCompatibilityLevel

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Data type

Range

Default value

REG_DWORD

0–5

0

Description

Specifies the mode of authentication and session security to be used for network logons.

Value

Meaning

0

Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1

Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2

Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

Activation method

You must restart Windows to make changes to this entry effective.

Note Image Note

To set a client running Windows NT Service Pack 4 to level 3 security or higher, the domain controllers for the user's account domains must already be upgraded to Service Pack 4.

For more information about operating-system interoperability and session security settings , see the Microsoft Knowledge Base link on the Web Resources page. Search the Knowledge Base for Article Q147706 or for the keywords LM authentication.

For more information about Windows 2000 security, see the Windows 2000 Server Resource Kit Distributed Systems Guide.

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Tip Image Tip

System times should be within 30 minutes of each other. Otherwise, authentication can fail because the server might interpret the challenge from the client as having expired.




註解