FIX: LmCompatibilityLevel value changes back to "2" on Domain Controller.
If, after changing the 'LmCompatibilityLevel' value to "3", "4" or "5", it automatically reverts to "2", then read the instructions in this tutorial to fix the problem.
I recently changed the default domain policy "Network security: LAN Manager authentication level"* (aka: "LmCompatibilityLevel") from "Send LM & NTLM responses" to "Send NTLMv2 response only. Refuse LM & NTLM".
But, after applying the policy (using "gpupdate /force" command), I released that the policy on the Domain Controller(s) changes back to "Send LM & NTLM responses" (LmCompatibilityLevel="2").
* Info: The "LAN Manager Authentication Level" (aka "LmCompatibilityLevel") defines the protocol to be used to authenticate Windows computers to an Active Directory domain or to authenticate computers that don't run Windows operating systems with the domain.
In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2).
The "LAN Manager Authentication Level" can be changed by using one of the following ways:
1. Using the Local Group Policy Editor (gpedit.msc) in this location:
-
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options > Network Security: LAN Manager Authentication Level
2. Using the Domain Server's Group Policy Management console (gpmc.msc) by modifying the Default Domain Policy in this location:
-
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options > Network Security: LAN Manager Authentication Level
3. Through the Registry at this location:
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
The possible LAN Manager authentication level (aka: "LmCompatibilityLevel") registry values are listed below along with the level of security they provide. (source):
- 0 = Send LM & NTLM responses (Very insecure)
- 1 = Send LM & NTLM – use NTLMv2 session security if negotiated (Insecure)
- 2 = Send NTLM response only (Weak security)
- 3 = Send NTLMv2 response only (Moderate security)
- 4 = Send NTLMv2 response only. Refuse LM (Strong security)
- 5 = Send NTLMv2 response only. Refuse LM & NTLM (Very strong security – BEST)
How to FIX: The "LAN Manager authentication level" automatically reverts back to "Send LM & NTLM responses" on DOMAIN CONTROLLER (Windows Server 2016/2019).
As mentioned above, the "Network security: LAN Manager authentication level" can be specified either by modifying the Local Group Policy, the Registry, or the Default Domain Policy.
But, if you want to change the "Network security: LAN Manager authentication level" poly on a Domain controller, you have to modify the "Default Domain Controllers Policy" and NOT the "Default Domain Policy", otherwise the level will revert back to default value ("Send LM & NTLM responses" or "LmCompatibilityLevel: 2). To do that:
1. In Group Policy Management console (gpmc.msc), under Domains > YOURDOMAIN, expand Domain Controllers and then Edit the Default Domain Controllers Policy.
2a. Now navigate to this location:
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
2b. Open the "Network Security: LAN Manager Authentication Level" policy.
3. Select Define this policy setting and then change below the authentication NTLM level according your needs. When done, click Apply > OK and close the Group policy management.
4. Finally run "gpupdate /force" to apply the policy and you're done!
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
Why does the 'LmCompatibilityLevel' value revert to '2' after I change it?
If the 'LmCompatibilityLevel' value reverts to '2', it's likely because the change was made in the Default Domain Policy instead of the Default Domain Controllers Policy. To ensure the change sticks, modify the 'Default Domain Controllers Policy' directly.
How do I change the 'LAN Manager Authentication Level' on a Domain Controller?
To change the 'LAN Manager Authentication Level' on a Domain Controller, use the Group Policy Management Console. Navigate to Domains > YOURDOMAIN > Domain Controllers, then edit the Default Domain Controllers Policy under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
What are the possible values for 'LmCompatibilityLevel' and their security implications?
The 'LmCompatibilityLevel' has six possible values: 0 = Send LM & NTLM responses (Very insecure), 1 = Send LM & NTLM – use NTLMv2 session security if negotiated (Insecure), 2 = Send NTLM response only (Weak security), 3 = Send NTLMv2 response only (Moderate security), 4 = Send NTLMv2 response only. Refuse LM (Strong security), 5 = Send NTLMv2 response only. Refuse LM & NTLM (Very strong security – BEST).
How do I apply changes made to the 'LAN Manager Authentication Level'?
Once you have configured the 'LAN Manager Authentication Level' to your desired setting, run 'gpupdate /force' to apply the changes immediately.
