Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Unable to Access SYSVOL and NETLOGON folders from Windows 10

July 7, 2020 Active DirectoryWindows 10Windows Server 2016

Unable to Access SYSVOL and NETLOGON folders from Windows 10

I noticed some strange things when trying to access SYSVOL and NETLOGON folders in the domain from Windows 10/Windows Server 2016. When I tried to access the domain by the UNC path \\<domain.com>\SYSVOL or by the domain controller IP address \\192.168.100.10\Netlogon, there appeared an ‘Access is denied’ error and the Windows Security prompt to enter a user credentials to access folder. After entering a valid domain user or even domain administrator credentials, the folders still did not open.

windows 10 unable to access sysvol and netlogon

Meanwhile, the same Sysvol/Netlogon folder opens normally (without a password) if you specify the domain controller host or FQDN name: \\be-dc1.domain.com\sysvol or simply \\be-dc1\sysvol.

Also, the issues with Group Policy applying may occur on problem computers. You can find errors with the EventID 1058 in the Event Viewer logs:

The processing of Group Policy failed. Windows attempted to read the file \\domain.com\sysvol\domain.cpo\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

This is related to new Windows security setting that protects domain computers from running code (logon scripts, executables) and getting policy configuration files from untrusted sources — UNC hardening. Windows 10/Windows Server 2016 security settings require the following security levels are used to access UNC directories with enhanced security (SYSVOL and NETLOGON shared folder):

  • Mutual Authentication of a server and a client. Kerberos is used for authentication. (NTLM is not supported.) This is why you cannot access SYSVOL and NETLOGON shares on the domain controller by its IP address. By default, RequireMutualAuthentication=1.
  • Integrity is the SMB signature check. It allows to make sure that data in an SMB session have not been modified during transmission. SMB signature is supported in SMB 2.0 or higher (SMB v 1 does not support SMB session signing). The default value is RequireIntegrity=1.
  • Privacy is related to data encryption in an SMB session. It is supported starting from SMB v 3.0 (Windows 8/Windows Server 2012 or newer). The default value is RequirePrivacy=0.
    If you have any computers or domain controllers with legacy Windows versions (Windows 7/Windows Server 2008 R2 or earlier) in your network, do not use the RequirePrivacy=1 option. Otherwise, the legacy clients won’t be able to access network shared folders on domain controllers.

Originally, these changes were made in Windows 10 in 2015 as a part of security updates MS15-011 and MS15-014. It resulted in changes in Multiple UNC Provider (MUP) algorithm that is now using special rules to access critical folders on the domain controllers: \\*\SYSVOL and \\*\NETLOGON.

The protected UNC paths are disabled by default on Windows 7 and Windows 8.1.

To access SYSVOL and NETLOGON, you can change UNC hardening settings in Windows 10 using Group Policy. You can use special security settings to access different UNC paths in the Hardened UNC Paths policy.

  1. Open the Local Group Policy Editor (gpedit.msc);
  2. Go to the policy section Computer Configuration -> Administrative Templates -> Network -> Network Provider;
  3. Enable the Hardened UNC Paths policy ; Hardened UNC Paths policy
  4. Click the Show button and create entries for the UNC paths to Netlogon and Sysvol. To completely disable UNC hardening for specific folders (not recommended!), specify the following values: RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
You can use the following formats of UNC paths:

  • \\192.168.200.2 (the domain controller IP address)
  • \\domain.com
  • \\DCName

Or you can allow the access to Sysvol and Netlogon independently of the UNC path (on any DC):

  • \\*\SYSVOL
  • \\*\NETLOGON

Specify all the domain (domain controller) names or IP addresses you need.

Microsoft recommends using these settings to safely access critical UNC directories:

  • \\*\NETLOGON    RequireMutualAuthentication=1, RequireIntegrity=1
  • \\*\SYSVOL    RequireMutualAuthentication=1, RequireIntegrity=1

Hardened UNC Paths GPO Settings - equireMutualAuthentication and RequireIntegrity

Now you just have to update the policies on your computer using gpupdate /force command and make sure that you can access Sysvol and Netlogon.

You can configure these parameters using the centralized domain GPO or the following commands on the clients: (These commands will disable Kerberos authentication when you access SYSVOL and NETLOGON folders on the domain controllers. NTLM will be used instead, and you will be able to open the protected folders on the DC by their IP address.)

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ /f

These commands may be helpful if:

  • You have an old version of administrative templates on a domain controller (a DC running Windows Server 2008 R2/ Windows Server 2012) having no Hardened UNC Paths parameter;
  • Clients cannot get the Domain Policies settings due to Sysvol inaccessibility and you cannot deploy these registry settings.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Keepalived: Configuring High Availability with IP Failover on CentOS/RHEL
next post
How to Restore Active Directory from a Backup?

Related Reading

Preparing Windows for Adobe Flash End of Life...

January 22, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

How to Disable/Remove Thumbs.db File on Network Folders...

January 21, 2021

USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

January 15, 2021

Windows 10: No Internet Connection After Connecting to...

January 13, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Preparing Windows for Adobe Flash End of Life on December 31, 2020

    January 22, 2021
  • Checking User Logon History in Active Directory Domain with PowerShell

    January 22, 2021
  • How to Disable/Remove Thumbs.db File on Network Folders in Windows?

    January 21, 2021
  • MS SQL Server 2019 Installation Guide: Basic Settings and Recommendations

    January 19, 2021
  • USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

    January 15, 2021
  • Windows 10: No Internet Connection After Connecting to VPN Server

    January 13, 2021
  • Updating the PowerShell Version on Windows

    December 24, 2020
  • How to Enable and Configure User Disk Quotas in Windows?

    December 23, 2020
  • Restoring Deleted Active Directory Objects/Users

    December 21, 2020
  • Fix: Search Feature in Outlook is Not Working

    December 18, 2020

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Restricting Group Policy with WMI Filtering
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top