I seen some unusual issues when making an attempt to entry SYSVOL and NETLOGON folders within the area from Windows 10/Windows Server 2016. When I attempted to entry the area by the UNC path
or by the area controller IP tackle
192.168.100.10Netlogon, there appeared an ‘Access is denied’ error and the Windows Security immediate to enter a consumer credentials to entry folder. After coming into a legitimate area consumer and even area administrator credentials, the folders nonetheless didn’t open.
Meanwhile, the identical Sysvol/Netlogon folder opens usually (and not using a password) when you specify the area controller host or FQDN identify:
be-dc1.area.comsysvol or just
Also, the might happen on downside computer systems. You can discover errors with the EventID 1058 within the Event Viewer logs:
The processing of Group Policy failed. Windows tried to learn the file area.comsysvoldomain.cpoPoliciesgpt.ini from a website controller and was not profitable. Group Policy settings is probably not utilized till this occasion is resolved.
This is expounded to new Windows safety setting that protects area computer systems from operating code (, executables) and getting coverage configuration information from untrusted sources — UNC hardening. Windows 10/Windows Server 2016 safety settings require the next safety ranges are used to entry UNC directories with enhanced safety (SYSVOL and NETLOGON shared folder):
- Mutual Authentication of a server and a consumer. Kerberos is used for authentication. ( will not be supported.) This is why you can’t entry SYSVOL and NETLOGON shares on the area controller by its IP tackle. By default,
- Integrity is the SMB signature test. It permits to be sure that information in an SMB session haven’t been modified throughout transmission. SMB signature is supported in SMB 2.zero or greater ( doesn’t help SMB session signing). The default worth is
- Privacy is expounded to . It is supported beginning from SMB v three.zero (Windows eight/Windows Server 2012 or newer). The default worth is
If you will have any computer systems or area controllers with legacy Windows variations (Windows 7/Windows Server 2008 R2 or earlier) in your community, don’t use the RequirePrivacy=1 choice. Otherwise, the legacy shoppers gained’t give you the chance to entry community shared folders on area controllers.
Originally, these modifications had been made in Windows 10 in 2015 as part of safety updates MS15-011 and MS15-014. It resulted in modifications in Multiple UNC Provider (MUP) algorithm that’s now utilizing particular guidelines to entry important folders on the area controllers: *SYSVOL and *NETLOGON.
The protected UNC paths are disabled by default on Windows 7 and Windows eight.1.
To entry SYSVOL and NETLOGON, you possibly can change UNC hardening settings in Windows 10 utilizing Group Policy. You can use particular safety settings to entry totally different UNC paths within the Hardened UNC Paths coverage.
- Open the Local Group Policy Editor ();
- Go to the coverage part Computer Configuration -> Administrative Templates -> Network -> Network Provider;
- Enable the Hardened UNC Paths coverage ;
- Click the Show button and create entries for the UNC paths to Netlogon and Sysvol. To fully disable UNC hardening for particular folders (not really useful!), specify the next values:
192.168.200.2(the area controller IP tackle)
Or you possibly can enable the entry to Sysvol and Netlogon independently of the UNC path (on any DC):
Specify all of the area (area controller) names or IP addresses you want.
Microsoft recommends utilizing these settings to safely entry important UNC directories:
Now you simply have to replace the insurance policies in your pc utilizing
gpupdate /pressure command and just be sure you can entry Sysvol and Netlogon.
You can configure these parameters utilizing the centralized area GPO or the next instructions on the shoppers: (These instructions will disable Kerberos authentication once you entry SYSVOL and NETLOGON folders on the area controllers. NTLM will probably be used as a substitute, and it is possible for you to to open the protected folders on the DC by their IP tackle.)
reg add HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths /v "*SYSVOL" /d "RequireMutualAuthentication=zero" /t REG_SZ /f
reg add HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths /v "*NETLOGON" /d "RequireMutualAuthentication=zero" /t REG_SZ /f
- You have an outdated model of administrative templates on a website controller (a DC operating Windows Server 2008 R2/ Windows Server 2012) having no Hardened UNC Paths parameter;
- Clients can’t settings due to Sysvol inaccessibility and you can’t .