What is the easiest and safest way to detect if NTLMv1 is being used before disabling it?
39 views
Skip to first unread message
Max Coder
Jan 17, 2025, 9:14:50 AM1/17/25
to ntsysadmin
Hi,
Environment has around 500 servers, most 2016 R2 and some 2022. We have around 2,000 workstations with most being W10 , 11.
My questions are :
1 - Is a order like the one below correct?
- firstly client computers
- Then member servers
- Finally domain controllers
Workflow :
- first create a test GPO (Send NTLMv2 response only
) and deploy it to test client devices.
then watch it for a while and if no problems are found, deploy it to other computer objects.
- Then deploy GPO to test servers. then watch it for a while and if no problems are found, deploy it to other server objects.
- Finally, on the default domain controller policy Send NTLMv2 response only. Refuse LM & NTLM policy.
what kind of a road map should I follow?
2 - I have NTLMv01 log record for windows server 2019 OS named srv1 on DC. AFAIK, 2019OS supports NTLMv2. Why is the NTLMv1 log record coming here? What needs to be looked at here on the server?
Event ID 4624 on DC
timeCreated : 1/17/2025 10:30:03AM
Account Name : srv01$
Account Domain : contoso
Logon Type : 3
Worksstation Name : srv01
Source Network Address : x.x.x.x
Environment has around 500 servers, most 2016 R2 and some 2022. We have around 2,000 workstations with most being W10 , 11.
My questions are :
1 - Is a order like the one below correct?
- firstly client computers
- Then member servers
- Finally domain controllers
Workflow :
- first create a test GPO (Send NTLMv2 response only
) and deploy it to test client devices.
then watch it for a while and if no problems are found, deploy it to other computer objects.
- Then deploy GPO to test servers. then watch it for a while and if no problems are found, deploy it to other server objects.
- Finally, on the default domain controller policy Send NTLMv2 response only. Refuse LM & NTLM policy.
what kind of a road map should I follow?
2 - I have NTLMv01 log record for windows server 2019 OS named srv1 on DC. AFAIK, 2019OS supports NTLMv2. Why is the NTLMv1 log record coming here? What needs to be looked at here on the server?
Event ID 4624 on DC
timeCreated : 1/17/2025 10:30:03AM
Account Name : srv01$
Account Domain : contoso
Logon Type : 3
Worksstation Name : srv01
Source Network Address : x.x.x.x
Reply all
Reply to author
Forward
0 new messages