A Windows 10 update introduced a security enhancement, where the windows 10 client is unable to browse to syslog and netlogon shares in order to prevent unintended access to these locations.
The symptoms would be that any attempt to access these shares from a windows 10 machine, the user is prompted for login credentials and not even the domain admin account would be granted access.
This can be resolved by adding the DC's UNC path (<\\DC_name>) to the Hardened UNC path within the local GPO editor of every windows 10 client, which can be located under
Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths
Now this is a working solution however it's not ideal, as we have 120 + clients (some of them at geographically remote sites), and it's not as convenient to do them manually, let alone the fact that defeats the whole purpose of opting for a domain controller for central client management.
When trying to push such setting from GPO there are 2 issues:
- The same GPO is not available in GP management console on server 2012 (DC).
- Since GPOs are pushed through the sysvol folder, and such folder is inaccessible (unless you do the fix manually), it's a rather impossible to push to client.
The desired outcome is where this issue is solved through the DC rather than from every windows client individually.
I look forward to help.
Thanks,
J
Best Answer
After further research it was determined that this was solvable by hardening UNC paths on clients manually. We used the following script for easier achievement:
This just applies the hardened UNC paths using command line rather than clicking your way through the local GPO. It's understood that a solution is a work in progress for this matter by Microsoft.