Unable to Access SYSVOL and NETLOGON folders from Windows 10

I noticed strange things when trying to access the SYSVOL and NETLOGON folders in a Windows 10/Windows Server 2016 domain. When I try to access the domain using the UNC path or the Domain Controller IP address192.168.100.10Netlogon, access is denied and the Windows security prompt for user credentials to access the folder is displayed. After entering valid credentials for the user or even the domain administrator, the folders would still not open.

Meanwhile, the same sysvol/netlogon folder is normally opened (without password) by specifying the domain controller host or FQDN: \my-dc-01.contoso.comsysvol or just \my-dc-01sysvol.

In addition, problematic computers may have problems enforcing group policies. Errors with event ID 1058 can be found in the Event Viewer logs:

Group policy handling failed. Windows tried to read the domain controller’s \contoso.comsysvoldomain.cpoPolicies{GPO GUID}gpt.ini file and failed. Group policy settings cannot be applied until this event is resolved.

This is due to a new Windows security setting that protects domain computers from executing code (login scripts, executables) and obtaining policy configuration files from untrusted sources – UNC hardening. Windows 10/Windows Server 2016 security settings require the following security levels to access UNC folders with enhanced security (SYSVOL and NETLOGON shared folders) :

  • Mutual authentication of server and client. Kerberos is used for authentication. (NTLM is not supported.) Therefore, you cannot access SYSVOL and NETLOGON shares on a domain controller using its IP address. The default is RequireMutualAuthentication=1.
  • Integrity is a verification of the signature of the SME. This ensures that the data in the SMB session has not been changed during the transfer. SMB signing is supported in SMB 2.0 or higher (SMB v 1 does not support SMB session signing). The default value is RequireIntegrity=1.
  • Data protection refers to the encryption of data during an SME session. Supported from SMB v 3.0 (Windows 8/Windows Server 2012 or later). The default value is RequirePrivacy=0. If you have computers or domain controllers on your network running older versions of Windows (Windows 7/Windows Server 2008 R2 or earlier), do not use RequirePrivacy=1. Otherwise, former clients cannot access network shares on domain controllers.

These changes were originally made to Windows 10 in 2015 as part of MS15-011 and MS15-014 security updates This led to a change in the Multiple UNC Provider (MUP) algorithm, which now uses special rules to access the critical files of the : \*SYSVOL and NETLOGON. UNC paths are disabled by default in Windows 7 and Windows 8.1.

To access SYSVOL and NETLOGON, you can change the UNC enforcement settings in Windows 10 through group policy. You can use special security settings to access different UNC paths in the enhanced UNC path policy.

  1. Open the Local Groups Policy Editor (gpedit.msc) ;
  2. Go to Policy Computer Configuration -> Administrative Templates -> Network -> Network Provider ;
  3. Incorporate UN hardline policy;
  4. Click View and create the entries for the UNC paths to Netlogon and Sysvol. To completely disable UNC hardening for specific directories (not recommended!), specify the following values: Requires mutual authentication = 0, requires integrity = 0, requires confidentiality = 0

You can use the following UNC path formats:

  • \R2.168.200.2 (IP address of the domain controller)
  • \Contoso.com.

You can also allow access to sysvol and netlogon regardless of the UNC path (on any DC):

Enter the desired domain names (domain controllers) or IP addresses.

Microsoft recommends that you use these settings for secure access to essential UNC folders:

  • \*NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1.
  • \*SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1.

Now you just need to update the policy on your computer with gpupdate /force and make sure you have access to sysvol and netlogon.

You can configure these settings using a central domain GPO or the following commands on clients: (These commands disable Kerberos authentication when accessing the SYSVOL and NETLOGON folders on domain controllers. Instead, NTLM is used and secure folders can be accessed on DCs by their IP address).

add reg HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths /v \*SYSVOL /d RequireMutualAuthentication=0 /t REG_SZ /f
add reg HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths /v \*NETLOGON /d RequireMutualAuthentication=0 /t REG_SZ /f

These commands can be useful when :

  • You have an older version of administrative templates on a domain controller (DC with Windows Server 2008 R2/ Windows Server 2012) that does not have the Hardened UNC Paths setting;
  • Clients cannot retrieve the domain policy settings because the sysvol is not available and you cannot implement these registry settings.

windows 10 netlogon access deniedcannot access sysvol on domain controllersysvol prompting for credentialsdisable unc hardening windows 10users can t access sysvolwindows 10 sysvol locationsysvol access deniedwhere is netlogon folder

You May Also Like