I enabled a trace and it reviled that an LDAP call is being made to the FQDN and that is getting an Access is denied error back. This makes sense because Kerberos is needed to work with the Hardened UNC Paths.
Does anyone know of a GPO option to force Kerberos authentication at computer startup? - Stephen From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, April 16, 2015 10:45 AM To: [email protected] Subject: RE: [NTSysADM] Group Policy not applying on some computers after Hardened UNC Paths configured. When I set it up I used \\*\netlogon<file:///\\*\netlogon> and \\*\sysvol<file:///\\*\sysvol> and didn’t have any issues. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Stephen Gestwicki Sent: Thursday, April 16, 2015 10:22 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Group Policy not applying on some computers after Hardened UNC Paths configured. I have 2 computers (64-bit Win 7 Ent.) out of about 30 that are not able to apply group policy at start up. They can get and apply group policy correctly when I run the "gpupdate" command. Every time one of these 2 computers start there are a block of 9 group policy application event log errors with and Event ID 8194 all saying "The client-side extension could not apply … because it failed with error code '0x80070041 Network access is denied.'" I have tracked the cause down to the configuration change for Hardened UNC Paths which I applied using this<https://support.microsoft.com/en-us/kb/3000483>. The specific shares I am using are \\*\SYSVOL<file:///\\*\SYSVOL> and \\*\NETLOGON<file:///\\*\NETLOGON>. Everything works right away if I disable (or just change the paths listed) so it no longer applies and then breaks again as soon as I reapply the setting. I was able to run a command prompt at start up and I get an error if I quickly try to go to \\DomainName\SYSVOL<file:///\\DomainName\SYSVOL> or \\DomainName\NETLOGON<file:///\\DomainName\NETLOGON>. After about a minute or two trying the same UNC paths works so I believe the problem is related to these computers having trouble converting the DomainName into DomainControllerName before it tried to use Kerberos authentication on the UNC path. Does anyone have any tips/suggestions on how I can try to fix this problem? - Stephen
