The Security Configuration Wizard prompts you with a series
of questions to help you configure the highest possible value for some security
options, based on the needs of the environment that you specify. If you specify
that downlevel compatibility is required when you answer these questions, the
Security Configuration Wizard reduces the existing LMCompatibilityLevel value
setting.
The particular Security Configuration Wizard options that
affect the LMCompatibilityLevel value are on the
Outbound
Authentication using Domain Accounts page. By default, the
Clocks that are synchronized with the selected server's clock
check box is not selected.
Note Synchronization is required for NTLM version 2 (NTLMv2). Older
systems do not use clock synchronization.
If you click to select the
Clocks that are synchronized with the selected server's clock
check box, the Security Configuration Wizard displays the
Inbound
Authentication Methods page when you click
Next. By
default, the downlevel compatibility mode check boxes are selected on the
Inbound Authentication Methods page.
Note The downlevel compatibility mode check boxes are the
Computers that require LAN Manager authentication check box
and the
Computers that have not been configured to use NTLMv2
authentication check box.
If you do not change these default
settings, the Security Configuration Wizard may reduce the LMCompatibilityLevel
value. If the Security Configuration Wizard reduces the LMCompatibilityLevel
value, the following conditions may occur:
- If you do not indicate that your environment has clock
synchronization, the LMCompatibilityLevel value is set to 2.
- If you indicate that your environment has clock
synchronization, and you click to select the Computers that require LAN
Manager authentication check box, the LMCompatibilityLevel value is
set to 3.
- If you indicate that your environment has clock
synchronization, and you click to select the Computers that have not
been configured to use NTLMv2 authentication check box, the
LMCompatibilityLevel value is set to 4.
- If you require clock synchronization, and you do not click
to select the Computers that require LAN Manager
authentication check box and the Computers that have not been
configured to use NTLMv2 authentication check box, the
LMCompatibilityLevel value set to 5.
Note An LMCompatibilityLevel value of 5 is the highest possible
value.
If the network only uses Microsoft Windows 2000, Microsoft
Windows XP, or Microsoft Windows Server 2003, indicate that your environment
uses clock synchronization. Also, click to clear the two downlevel
compatibility mode check boxes to obtain the highest LMCompatibilityLevel
value.
The LMCompatibilityLevel value specifies the authentication
protocols that two computers that are running Windows operating systems can use
when they authenticate to each other.