In a peer-to-peer workgroup, when you try to connect to the
network resources of a computer that is running any of the products listed at
the beginning of this article, you may receive one of the following error
Operating system error 71.
connections can be made to this remote computer at this time because there are
already as many connections as the computer can accept.
System error 71 has
This remote computer has reached its connection limit, you
cannot connect at this time.
This problem occurs when a computer reaches the maximum number of host connections that are allowed. In this case, when a NULL session connection is generated in the Microsoft Windows 2000 client, this NULL session connection is counted as one session on the Microsoft Windows XP-based server. Therefore, the error messages occur that are mentioned in this "Symptom" section, even if the number of connections to computers do not exceed the limit.
In addition, when multiple NULL sessions are generated from a single Windows 2000 client computer, the multiple NULL sessions are counted as multiple sessions. However, a NULL session appears as a single session when you run the net session
command. In this case, when the RestrictAnonymous registry entry is set, and the NULL session connection is rejected, this symptom still occurs. Notes
- For Windows XP Professional-based computers, the maximum number of concurrent network connections that are allowed is 10. This limit includes all transfer and all resource share protocols. For Windows XP Home Edition-based computers, the maximum number of concurrent network connections that are allowed is 5. This limit is the number of sessions that can be hosted at the same time from other computers. Therefore, we cannot use the administrative tool usage to connect to the system from a remote computer.
- When multiple NULL sessions are connected from a single computer, each one of them is counted.
- Only one IPC$ can be checked by using the net session command. For example, when a single Windows 2000-based computer tries to use multiple IPC$ sessions, only one single IPC$ session can be used at a time.
- RestrictAnonymous is not valid for this resolution.
A Windows client workstation may have opened a pipe
connection to the named pipe \PIPE\spoolss on either a print server or a
workstation that has a shared printer. This typically occurs when you start a
program (such as Microsoft Word) that queries printers, or if you open the
Printers folder in Control Panel. Printer spooling on both the client and the
server will open a handle related to this connection.
A Remote Procedure
Call (RPC) requires one named pipe instance for every active RPC call (like
OpenPrinter). If an OpenPrinter call stops responding, RPC keeps open the named
pipe connection. RPC does not disconnect this connection until the context
handle (that is OpenPrinters) has been closed.
If both the following
conditions are true, you may open an anonymous connection (also known as null session connection
) that never closes to the named pipe \PIPE\spoolss on the
workstation that acts as the server in your peer to peer network:
- Your client has connected a shared printer on the computer
that acts as a 'print server'.
- You have set up a local shared printer on one or more
Use one of the following methods to restrict null session
connections on your workstation that is acting as a print server. The preferred
method is the first one.
Disable null session connections on the Windows computer that
exceeds its incoming connection limit and shows some additional null session
connections either by using the Group Policy GUI or by setting a registry key.
Using the Group Policy User Interface (Local Security Policy MMC Snap-In)
- Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
Note If you cannot perform this step because Administrative Tools does not appear in the Program list, click Start, point to Settings, point to Control Panel, double-click Administrative Tools, and then click Local Security Policy.
Note In Windows XP, the RestrictAnonymous subkey can have a
value of 0 or 1. A value of 1 restricts null session connections on Windows
XP-based clients. For regulation of the enumeration of SAM accounts, the
following new registry subkey has been added:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam The policy is configurable via Local Security Settings under Security Settings\Local Policies\Security Options\Network Access: Do not allow anonymous enumeration of SAM accounts.
- In Security Settings, double-click Local Policies, and then click Security Options.
- Double-click Additional restrictions for anonymous
connections, and then under Local policy setting:,
click No access without explicit anonymous
- Restart the computer.
This policy restricts null session connections.
Using Registry EditorImportant
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To restrict null session connections (or disable
null session access):
- Start Registry Editor.
- Locate, and then click the following key in the registry:
- On the Edit menu, click Add Value, and then add the following registry value:
Value Name: RestrictAnonymous A value of 2 restricts null session
Data Type: REG_DWORD
To set the RestrictAnonymous value, change the registry key to 0 or 1 for Windows NT 4.0 or to
0, 1, or 2 for Windows 2000. These numbers correspond to the following
- 0 None. Rely on default permissions.
- 1 Do not allow enumeration of SAM accounts and
- 2 No access without explicit anonymous
- Restart the computer.
Use the following method to avoid null session connections that
have a high session idle time and that have opened a handle to the named pipe
Remove Printer Share on Clients
Identify clients that have local printer shares enabled (see the
"More Information" section for additional information) and remove all local
printer shares on these computers:
- Open the Printers folder to verify whether you have shared a local
- Open the Properties window of the shared printer, and then click Sharing.
- Click to select the Not Shared option.
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
Computers that run Windows NT Workstation 4.0, Windows 2000
Professional, and Windows XP Professional are licensed for a maximum of 10
concurrent client incoming sessions. Computers that run Windows XP Home Edition
are licensed for a maximum of 5 concurrent client incoming sessions. All
logical drive, logical printer, and transport level connections combined from a
single computer are one session.
If the server service already has
the maximum number of open sessions and one more user tries to allocate a
resource, the computer returns the error messages that are described in the
"Symptoms" section of this article.
Typically a computer does not
have multiple sessions to another computer. But there are exceptions. For
example, computer A is running a service under another user context than the
logged-on user, and that service creates a logical connection to computer B.
The logical connection can result from file shares, printers, serial ports, and
also from communication between computers using named pipes and mail
Use the following commands to get information about sessions
and open files and shared resources.
Information About Active Sessions on the Computer That Is Running the Server Service
To receive information about active sessions on the computer that
is running the server service, type the following command:
Count the number of open sessions to see if the session limit of
10, or 5 in the case of Windows XP Home Edition, is already reached. Typically
there is only one session per remote client.
If there is more than
one session from a remote client, view the User name
context on the remote client that has set up more than one
- View all the services that are running, and find out if one
is running under the user context of the username shown in the session
- Look for scheduled tasks that are running in a logon script
and are using a different user account then the one logging in.
- Look for rows where the User name column
is empty and examine the idle time.
A session that has an empty user context is a null session
Temporary null sessions are usually caused by IPC$
connections as the first step in establishing a connection. They stay active
for 30 seconds to 90 seconds.Note
To disconnect client computer sessions, use the following
net session /delete \\computername
This command disconnects all sessions from that computer and
closes all open files. This command may cause data loss if open files that have
not been saved are closed.
Information About Open Files
To receive information about open files, on the computer that is
running the server service, type the following command:
If you have seen permanent null user sessions in the session
table, determine which file or pipe the null user is using.
Information About NetBIOS Connection Table
To see a listing of incoming and outgoing connections and the
amount of traffic carried on these connections, type the command:
Information About Shared Resources
To see file shares, hidden administrative shares and shared
printers, type the following command:
You may have to perform further troubleshooting to determine the
causes for multiple client sessions.
Use Network Monitor to find out
which component initiates an additional session and what security context is
used for the Server Message Block (SMB) session.
To filter the traffic that printer spooling causes, use the
R_WINSPOOL parser in Network Monitor. If a Windows-based computer looks for
computers that are acting as a Print Queue Server, it uses NetShareEnum
transactions through the RemAPI protocol (also known as the Microsoft Windows Lanman Remote API Protocol
By default, when you use a NetShareEnum transaction, you
require only anonymous access to make NetServerEnum2 and NetServerEnum3
requests. By default, Windows operating systems have anonymous access
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Inbound connections limit in
System account and null sessions in Windows NT
information available to anonymous logon users
Error 71 and License Manager
open many \Pipe\Spoolss connections to WinNT print server
when using NT Server from MSDN Select CD
connections can be made at this time" error message
How to use
the RestrictAnonymous registry value in Windows 2000
enable null session shares on a Windows 2000-based computer
2000 clients use multiple connections when mapping drives to a single
connections limit in Windows XP