How to Enable the Guests Group in the Windows Server 2003 Baseline Security Policy

After applying the Windows Server 2003 security policies, you need to configure one privilege right to enable Outlook Web Access. Both the Outlook Web Access and public folders administration UI require that the Guests network logon be enabled. The Windows Server 2003 security policy sets the "Deny network logon" value to deny ANONYMOUS LOGON and the Guests group. The most efficient way to configure the "Deny network logon" is to apply a group policy that denies only ANONYMOUS LOGON.

Before You Begin

If you deploy the Exchange 2003 Group Policy Security Templates, then the Exchange 2003 Backend.inf file sets this value correctly.

If you are not deploying the Exchange 2003 Group Policy Security Templates, then you can edit the existing Windows Server 2003 security policy.

It is highly recommended that you review Security-Hardening Exchange 2003 Servers before implementing the following procedure.

Procedure

To enable the Guests group in the Windows Server 2003 Baseline Security Policy

1. In Active Directory Users and Computers, right-click the organizational unit that contains both the Windows Server 2003 Baseline Security Policy Exchange servers, and then click Properties.

2. In <Organizational Unit> Properties, on the Group Policy tab, select the Windows Server 2003 Baseline Security Policy, and then click Edit. The Group Policy Object Editor opens.

3. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

4. In the details pane, double-click the Deny access to this computer from the network policy.

5. In Deny access to this computer from the network Properties, select Guests, and then click Remove.

6. Click Apply, and then click OK.