Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Unable to Access SYSVOL and NETLOGON folders from Windows 10

May 10, 2023

Unable to Access SYSVOL and NETLOGON folders from Windows 10

I noticed some strange things when trying to access SYSVOL and NETLOGON folders in the domain from Windows 10/Windows Server 2016. When I tried to access the domain by the UNC path \\<domain.com>\SYSVOL or by the domain controller IP address \\192.168.100.10\Netlogon, there appeared an ‘Access is denied’ error and the Windows Security prompt to enter a user credentials to access folder. After entering a valid domain user or even domain administrator credentials, the folders still did not open.

windows 10 unable to access sysvol and netlogon

Meanwhile, the same Sysvol/Netlogon folder opens normally (without a password) if you specify the domain controller host or FQDN name: \\be-dc1.domain.com\sysvol or simply \\be-dc1\sysvol.

Also, the issues with Group Policy applying may occur on problem computers. You can find errors with the EventID 1058 in the Event Viewer logs:

The processing of Group Policy failed. Windows attempted to read the file \\domain.com\sysvol\domain.cpo\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

This is related to new Windows security setting that protects domain computers from running code (logon scripts, executables) and getting policy configuration files from untrusted sources — UNC hardening. Windows 10/Windows Server 2016 security settings require the following security levels are used to access UNC directories with enhanced security (SYSVOL and NETLOGON shared folder):

  • Mutual Authentication of a server and a client. Kerberos is used for authentication. (NTLM is not supported.) This is why you cannot access SYSVOL and NETLOGON shares on the domain controller by its IP address. By default, RequireMutualAuthentication=1.
  • Integrity is the SMB signature check. It allows to make sure that data in an SMB session have not been modified during transmission. SMB signature is supported in SMB 2.0 or higher (SMB v 1 does not support SMB session signing). The default value is RequireIntegrity=1.
  • Privacy is related to data encryption in an SMB session. It is supported starting from SMB v 3.0 (Windows 8/Windows Server 2012 or newer). The default value is RequirePrivacy=0.
    If you have any computers or domain controllers with legacy Windows versions (Windows 7/Windows Server 2008 R2 or earlier) in your network, do not use the RequirePrivacy=1 option. Otherwise, the legacy clients won’t be able to access network shared folders on domain controllers.

Originally, these changes were made in Windows 10 in 2015 as a part of security updates MS15-011 and MS15-014. It resulted in changes in Multiple UNC Provider (MUP) algorithm that is now using special rules to access critical folders on the domain controllers: \\*\SYSVOL and \\*\NETLOGON.

The protected UNC paths are disabled by default on Windows 7 and Windows 8.1.

To access SYSVOL and NETLOGON, you can change UNC hardening settings in Windows 10 using Group Policy. You can use special security settings to access different UNC paths in the Hardened UNC Paths policy.

  1. Open the Local Group Policy Editor (gpedit.msc);
  2. Go to the policy section Computer Configuration -> Administrative Templates -> Network -> Network Provider;
  3. Enable the Hardened UNC Paths policy ; Hardened UNC Paths policy
  4. Click the Show button and create entries for the UNC paths to Netlogon and Sysvol. To completely disable UNC hardening for specific folders (not recommended!), specify the following values: RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
You can use the following formats of UNC paths:

  • \\192.168.200.2 (the domain controller IP address)
  • \\domain.com
  • \\DCName

Or you can allow the access to Sysvol and Netlogon independently of the UNC path (on any DC):

  • \\*\SYSVOL
  • \\*\NETLOGON

Specify all the domain (domain controller) names or IP addresses you need.

Microsoft recommends using these settings to safely access critical UNC directories:

  • \\*\NETLOGON    RequireMutualAuthentication=1, RequireIntegrity=1
  • \\*\SYSVOL    RequireMutualAuthentication=1, RequireIntegrity=1

Hardened UNC Paths GPO Settings - equireMutualAuthentication and RequireIntegrity

Now you just have to update the policies on your computer using gpupdate /force command and make sure that you can access Sysvol and Netlogon.

You can configure these parameters using the centralized domain GPO or the following commands on the clients: (These commands will disable Kerberos authentication when you access SYSVOL and NETLOGON folders on the domain controllers. NTLM will be used instead, and you will be able to open the protected folders on the DC by their IP address.)

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ /f

These commands may be helpful if:

  • You have an old version of administrative templates on a domain controller (a DC running Windows Server 2008 R2/ Windows Server 2012) having no Hardened UNC Paths parameter;
  • Clients cannot get the Domain Policies settings due to Sysvol inaccessibility and you cannot deploy these registry settings.

4 comments
10
Facebook Twitter Google + Pinterest
Active DirectoryWindows 10Windows Server 2016
previous post
Keepalived: Configuring High Availability with IP Failover on CentOS/RHEL
next post
Restoring Active Directory Domain Controller from a Backup

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Generating Strong Random Password with PowerShell

January 31, 2020

Configuring Password Policy in Active Directory Domain

March 12, 2024

Configuring Proxy Settings on Windows Using Group Policy...

February 27, 2023

Time-Based (Temporary) Group Membership in Active Directory

March 15, 2024

4 comments

Permissions issue on netlogon September 22, 2022 - 11:20 pm

[…] some articles going into more detail below: _https://help.univention.com/t/how-to…-clients/18743 Unable to Access SYSVOL and NETLOGON folders from Windows 10 | Windows OS Hub We have it set in our domain for the \*SYSVOL and \*NETLOGON shares (you can use wildcards) as […]

Reply
Weird access issues NETLOGON/SYSVOL November 30, 2022 - 8:02 pm

[…] This sounds similar to issue we had on the new central network we have just implemented, and it was harden paths we noticed every now and again policy's where not applying as sysvol wasn't accessible. Unable to Access SYSVOL and NETLOGON folders from Windows 10 | Windows OS Hub […]

Reply
Bill February 1, 2023 - 7:43 am

The same problem appeared on our Windows 10 Pro 21H2 (19044.2546) domain computers.
Domain policies were not applied and the gupdate/force command on the client returned the “Windows attempted to read the file \\domain.com\sysvol\domain.cpo\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful” message.

Reply
Rob Holmes January 18, 2024 - 9:30 am

We had this issue but only on the SYSVOL share from random computers and randomly, failing once every 3 to 5 logins. Turned out to be caused by having UE-V enabled on the machines. Disabling that solved it for us but we didn’t need UE-V any more thankfully.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top