From 20b62c3044f45f96d9b72ad73b13b1f398c2cc6c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 24 May 2017 10:37:44 -0700 Subject: [PATCH] added recommendation to set this on uplevel --- ...access-restrict-clients-allowed-to-make-remote-sam-calls.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index f17f0e4c58..6d55050b6b 100644 --- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -65,7 +65,8 @@ This policy setting controls a string that will contain the SDDL of the security HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam -On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. +On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. +To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. > [!NOTE] This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path.