Q: SMB file share not accessible from tightly configured (NTLM) Windows 7 machines

We are running a OS X El Capitan 10.11.3 with Server 5.0.15 software. We have numerous SMB/AFP shares in the server that can be accessed with Windows 7 machines in default configuration. However, there is a group of centrally controlled Win7 clients that have a more tight NTLM authentication configuration which cannot be changed in any way. If these clients try to connect SMB shares, they get the following error message

I have pinpointed the problem in two Windows client registry settings. These can be accessed with secpol.msc program in Windows and are found in the tree from Local Policies/Security option. The two registry keys are named 1) Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and 2) Network security: LAN Manager authentication level. These keys have the following values in the centrally controlled Win7 clients 1) Require NTLMv2 session security: tick box selected, and Require 128-bit encryption:  tick box selected, and 2) Send NTLMv2 response only. Refuse LM & NTLM. If these values are set to a Win7 computer in default configuration which could previously access the shares, the error message is replicated. If one deselects the tick box in 1) Require NTLMv2 session security, everything works fine.

On a further note, both Win7 clients in default configuration and centrally controlled Win7 clients with stricter configuration can access older Mac OS X Server 10.5.8 with no problems. In this older server NTLMv2 & Kerberos authentication and NTLM authentication are allowed but LAN Manager is not allowed.

Changing Windows client setting in the centrally controlled computers is not an option. Is there some way to configure the server to make this work? I am happy to provide log files and any additional information necessary.