This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. You can set this to yes if all domain members support aes. This will prevent downgrade attacks. This option takes precedence to the 'allow nt4 crypto' option. no