none
Only Windows 10 Machines cannot gpupdate, Access Denied on Server 2012R2

    Question

  • Bear with me as I set this up.  Four weeks ago, I stood up a server with 2012R2 to build a domain.  Everything went well, except the Windows 7 machines could not open the shares.  As it turns out, Windows 7 could not use the added Encryption feature when creating the shares, however, I already destroyed my server by reinstalling 2012R2 before I figured that out.  Ever since, all Windows 10 machines are not able to get the Group Policy.  I am on my fourth installation and rebuilding of my domain.

    I was afraid that some metadata might have been left over from the previous installs, so this last time I ran a Clean All during installation.  I took my time like the first install, adding one role at a time, updating the server, and making my configuration.  The roles installed are AD-CA, AD-DS, DNS, DHCP (inactive), File Server, FSRM, FS VSS, and Storage Services.  Features are .NET 4.5, .NET 4.5 WCF Services TCP Port Sharing, GP Management, Remote Server Admin Tool>AD-DS & AD LDS Tools>Active Directory module for PS, AS DS Tools>Active Directory Admin Center and AD DS Snap-Ins & CL Tools.

    I set my default group policy to use 128 bit encryption, schannel requires encryption or signature always, and then other logins are negociated, but do not require encryption.  I left default domain controller policy alone at first.  I made several other changes as well.

    When I joined the Windows 10 machine A to the domain, it did not take all GPO's.  I joined Windows 10 machine B and that did not take all GPO's.  Both machines failed gpupdate, Event ID 1058 Error 5 Access Denied.  I've looked this up for hours, but could not find an answer that corrected my issue.  Both machines were previously on the earlier domains and had residual evidence of that in the registry.  Unfortunately, the newest login information/user was not updated with the current data under HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy.  History has the new domain name and the correct server name, but that was also the previous FQDM (changed it for security reasons by adding a secondary level)(subdomain.domain.com).  That was machine A.  Machine B, after joining to the domain had very little domain information.  Only under History did it have the server name and the FQDM.  The users had no domain info.

    So, I realized that everything work when Windows 10 was never previous joined to a domain and that is when I took a fresh Windows 7 machine that was never on this domain or any previous and then installed Windows 10 as a clean install.  I did not give it time to do any updates and then quickly joined the PC to the domain and renamed it.  The registry failed to get anything off the domain and failed gpupdate.  The only other settings that may affect anything is to restrict anonymous logons or anonymous anything and to exclude anonymous from Everyone user profile.

    I then went through my server errors messages and made corrections.  Most of the errors are due to services running before AD DS got fully running.  I ran some CMD tests and all were successful.  I do not remember all, but nltest was one.  I ran Wireshark on both the server and Machine A and confirmed that the server is denying access to my Windows 10 machines.  ON the server side, Invoke-GPUpdate machinename, or with the IP, fails as computer is not responding. Target is shutoff or Remote Scheduled Task Management Firewall Rule disabled. CategoryInfo :OperationTimeout ArgumentException. FullyQualifiedErrorID:COMException,Microsoft,GroupPolicy.Commands.InvokeGPUpdateCommand.

    When I run update from Group Policy>right-clickDomain>Group Policy Update... Fails Error Code 8007071a remote procedure call was cancelled.

    Turned off all firewalls.  Activated all possible services.  Turned off IPv6.  Ran Wireshark

    Wireshark shows ldap binds successful, SMB2 negotiations as being successful, and then SMB2 Session Setup Response, Error: STATUS_ACCESS_DENIED followed by resets.  This is the case whether I did a gpupdate from client or invoke-gpupdate from server.

    Machine A Event Viewer under Applications&Services>Microsoft>Windows>GroupPolicy- system call to access specified file completed. Call failed after 32 milliseconds.

    Event ID 7017 Error Code 5.

    And then the System Log> Event ID 1058 Error 5.

    I am able to browse the network to the share and open files/folders.  Access is only denied with GPUpdate.  DNS works well as all machines point to the DC, nslookup is good, I RDP into the DC using its domain name.  There has to be a setting somewhere on the server to allow this.

    The server has SMB errors

    SMB Session Authentication Failure

    Client Name: \\192.168.186.104
    Client Address: 192.168.186.104:4857
    User Name: domainname\justinh
    Session ID: 0xFFFFFFFFFFFFFFFF
    Status: {Access Denied}
    A process has requested access to an object, but has not been granted those access rights. (0xC0000022)

    Guidance:

    You should expect this error when attempting to connect to shares using incorrect credentials.

    This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

    This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

    Event ID 551 Error and these relate to each fail gpupdate.

    Sorry this is so long, but I have been trying to figure this out for three weeks.  Been all over Google, Microsoft, and other help sites.  

    Justin

    Friday, July 15, 2016 11:42 PM

Answers

  • A lot of information here.  You may not get a lot of responses because of it.  Even still, I get the feeling there is still some information being left out, namely, what exactly you did with system policy.  I am going to focus on this statement:  "I set my default group policy to use 128 bit encryption, schannel requires encryption or signature always, and then other logins are negociated, but do not require encryption.  I left default domain controller policy alone at first.  I made several other changes as well."  And on this statement:  "Machine A Event Viewer under Applications & Services > Microsoft > Windows > GroupPolicy - system call to access specified file completed. Call failed after 32 milliseconds. Event ID 7017 Error Code 5."  

    By default, Windows 7 and Windows 2008 R2 and above want to use AES256-SHA1 encryption algorithms and you apparently went in and specifically only enabled AES128-SHA1.  Go ahead and check the box for AES256-SHA1 in your Group Policy and try again.  If that doesn't work there is a specific area of Group Policy that I want to focus on, and I'll need a GPresult report to check it out.  You can upload one by running:  gpresult.exe /H gpreport.html


    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, July 16, 2016 12:31 PM
  • Hi Justin,
    Regarding denied access of group policy, please refer to the following article and blog for more troubleshooting information:
     
    Event ID 1058 — Group Policy Preprocessing (Networking)
    http://social.technet.microsoft.com/wiki/contents/articles/1456.aspx
     
    Group Policies and Access Denied
    http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx
    Also, here is a similar thread, please take a look and use for reference:
    Computer policy fails to apply with event id 1058 - computer removed from one domain and added to another
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/43c98590-901c-40d8-90fb-af6b3b370682/gpupdate-force-access-denied?forum=winserverGP
    In addition, you have installed many roles on a DC, generally, it is not suggested to do that.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 6:43 AM
    Moderator

All replies

  • A lot of information here.  You may not get a lot of responses because of it.  Even still, I get the feeling there is still some information being left out, namely, what exactly you did with system policy.  I am going to focus on this statement:  "I set my default group policy to use 128 bit encryption, schannel requires encryption or signature always, and then other logins are negociated, but do not require encryption.  I left default domain controller policy alone at first.  I made several other changes as well."  And on this statement:  "Machine A Event Viewer under Applications & Services > Microsoft > Windows > GroupPolicy - system call to access specified file completed. Call failed after 32 milliseconds. Event ID 7017 Error Code 5."  

    By default, Windows 7 and Windows 2008 R2 and above want to use AES256-SHA1 encryption algorithms and you apparently went in and specifically only enabled AES128-SHA1.  Go ahead and check the box for AES256-SHA1 in your Group Policy and try again.  If that doesn't work there is a specific area of Group Policy that I want to focus on, and I'll need a GPresult report to check it out.  You can upload one by running:  gpresult.exe /H gpreport.html


    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, July 16, 2016 12:31 PM
  • Hi Justin,
    Regarding denied access of group policy, please refer to the following article and blog for more troubleshooting information:
     
    Event ID 1058 — Group Policy Preprocessing (Networking)
    http://social.technet.microsoft.com/wiki/contents/articles/1456.aspx
     
    Group Policies and Access Denied
    http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx
    Also, here is a similar thread, please take a look and use for reference:
    Computer policy fails to apply with event id 1058 - computer removed from one domain and added to another
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/43c98590-901c-40d8-90fb-af6b3b370682/gpupdate-force-access-denied?forum=winserverGP
    In addition, you have installed many roles on a DC, generally, it is not suggested to do that.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 6:43 AM
    Moderator
  • Todd,

    I apologize for the extreme delay, but I was waiting for an email letting me know that someone responded, which never occurred. 

    Without further ado, I did create all new domain policies and disabled the default policies.  That was done to eliminate the policy issues.  Start from a clean slate.  From everything I read online, it seemed to be a W10 issue due to all of the new security features.  We had to create a registry key to bypass the authentication W10 was looking for. 

    Created a script with the following two lines:

    New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\SYSVOL" -Value "RequireMutualAuthentication=0" -Property "String"
    New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\NETLOGON" -Value "RequireMutualAuthentication=0" -Property "String"

    Once these keys were added, W10 machines were able to receive updates.  I have successfully made many changes to the group policy and have not had any issues since. 

    Thank you for all of the responses and suggestions.  I will uncheck the AES-128 option in my group policy.

    Justin

    Tuesday, September 6, 2016 12:15 PM