Hardening UNC Paths Breaks GPO Access

hello,

i attempting utilize group policy harden unc paths on 2 domain controllers.  have followed along steps create central gpo store, , have created object in accord ms15-011.

i have following settings:

status:  enabled

paths <values>

\\dc1 <requiremutualauthentication=1,requireintegrity=1,requireprivacy=1>

\\dc2 <requiremutualauthentication=1,requireintegrity=1,requireprivacy=1>

once apply dc ou, things rapidly go downhill.  specifically, no longer able view settings on appears already-in-place gpos.  further, when attempt edit gpo, claims don't have permission so.

when remove harden unc path gpo domain controller ou, appears restore either right away or after gpupdate /force.

i theory in order @ shares on these machines (which include policies), i'd need better proof of am.  well, accessing dc1 via remote desktop (to virtual host) , hyper-v domain admin.  didn't bother test dc2 since dc1 broke.

the thing think of off hand certificate on workstation (somewhere in chain) not trusted dc, fails mutual authentication check.  i've thought re-applying these 1 one, i'm hesitant go putting things on domain controllers know cause issues.

has encountered before, , if so, going on?

thanks,

m.

hi,

 

am 25.03.2016 um 14:57 schrieb meversbergii:

> have following settings:

> \\dc1 <requiremutualauthentication=1,requireintegrity=1,requireprivacy=1>

> \\dc2 <requiremutualauthentication=1,requireintegrity=1,requireprivacy=1>

 

afaik: requireprivacy=1 needs ipsec implemented.

 

if dcs dcs , no filehosting/printservers, woult

recommend define only

\\*\netlogon = requiremutualauthentication=1,requireintegrity=1

\\*\sysvol = requiremutualauthentication=1,requireintegrity=1

 

use "*" cover dcs.

 

mark

--

mark heitbrink - mvp windows server - group policy

 

homepage: http://www.gruppenrichtlinien.de - deutsch

gpo tool: http://www.reg2xml.com - registry export file converter

 

Windows Server  >  Group Policy