I just tripped over my own feet it seems.
Playing around on a Windows 2008 R2 server (set up as domain controller), I was intrigued by certain warning event (event id 2886) which says:
"To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds."
So I thoughtlessly did some Googling and set the relevant policies which enforce LDAP signing. Now I don't remember but I may have done that using Local Policy.
Now I have setup a pfsense box which must authenticate AD users via LDAP. While the firewall can communicate over secure channel, it is difficult to manage the same for other packages such as Squid and SquidGuard. So now I have to disable i.e. undo those policy changes.
The problem is that they are greyed out!
The policies in question are LDAP server signing and LDAP client signing. I don't remember what I did but when I access these policies from Local Policy editor on the server, they are set to "Require Signing" and are greyed out. The same policies can still be set via Default Domain Controller option in Group Policy editor.
So how can I reset these greyed out policies?
Thanks
Update:
I edited registry:
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Right-click the LDAPServerIntegrity registry entry, and then click Modify. Change Value data to 1 (it was 2), and then click OK.
The "Domain controller: LDAP server signing requirements" in local policy is now set to "none". Earlier the value was "Require Signing". However, it is still greyed out. Why it is greyed out…I don't understand.
The pfsense box could now authenticate users via LDAP…but after a system restart the policy was again reset to "Require Signing"
So….problem persists.
Best Answer
I know that this is a quite old question but since i stumbled over this again i wanted to share my experience.
I also had that problem that the settings for "Domain controller: LDAP server signing requirements" were greyed out. It turned out that i used the wrong snap-in for
mmc.exe. You'll have to use the Group Policy Management Editor, like shown here. When adding the snap-in go to Browse and add the object Default Domain Controllers Policy from your Domain Controllers node. After that you should be able to edit the mentioned settings like shown here. Please also note the different icon in front of the setting when compared to the Local Computer Policy settings, where the settings for LDAP signing is greyed out (shown here).Also there is a great blog post which helped me a lot.