https://tech.nicolonsky.ch/tags/gpo/Recent content in Gpo on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterThu, 19 Oct 2017 17:51:57 +0000https://tech.nicolonsky.ch/windows-10-1709-cannot-access-smb2-share-guest-access/Thu, 19 Oct 2017 17:51:57 +0000https://tech.nicolonsky.ch/windows-10-1709-cannot-access-smb2-share-guest-access/<p>After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn&rsquo;t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Windows 10 1709 Cannot Access SMB2 Share Guest Access" src="https://tech.nicolonsky.ch/content/images/2017/10/2017-10-19_1725-300x171.png" ></figure> <blockquote><p>An error occurred while reconnecting X: to <code>\\nas\data</code> Microsoft Windows Network: You can&rsquo;t access this shared folder because your organization&rsquo;s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.</p> </blockquote> <h2 class="relative group">Cause <div id="cause" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#cause" aria-label="Anchor">#</a> </span> </h2> <p>Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in &ldquo;guest&rdquo; account.</p> <p><strong>This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.</strong></p> <h2 class="relative group">Resolution <div id="resolution" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#resolution" aria-label="Anchor">#</a> </span> </h2> <p>To enable guest access again, configure the following GPO:</p> <p><code>Computer configuration &gt; administrative templates &gt; network &gt; Lanman Workstation: &quot;Enable insecure guest logons&quot; = Enabled</code></p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Windows 10 1709 Cannot Access SMB2 Share Guest Access" src="https://tech.nicolonsky.ch/content/images/2017/10/2017-10-19_1740-1024x726.png" ></figure> <h3 class="relative group">Registry Key <div id="registry-key" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#registry-key" aria-label="Anchor">#</a> </span> </h3> <p>The according registry key is located under:</p>https://tech.nicolonsky.ch/manage-local-administrator-rights-using-group-policy/Sat, 14 Oct 2017 13:37:49 +0000https://tech.nicolonsky.ch/manage-local-administrator-rights-using-group-policy/<p>If you imagine that your users or administrators have uncontrolled local administrator rights it&rsquo;s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.</p> <h1 class="relative group">Manage Local Administrator Rights <div id="manage-local-administrator-rights" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#manage-local-administrator-rights" aria-label="Anchor">#</a> </span> </h1> <p>The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with &ldquo;Restricted Groups&rdquo;.</p> <h3 class="relative group">Adding a group or users to a local group <div id="adding-a-group-or-users-to-a-local-group" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#adding-a-group-or-users-to-a-local-group" aria-label="Anchor">#</a> </span> </h3> <p>If you want to add a certain group to a built-in group add the group to the restricted groups under the &ldquo;This group is a member of&rdquo; sections:<figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Group Policy Restricted Groups" src="https://tech.nicolonsky.ch/content/images//2017/10/2017-10-13_2326.png" ></figure> </p> <p>When the GPO is no longer applied, the restricted group is being removed from the clients.</p> <h3 class="relative group">Overwrite local group members <div id="overwrite-local-group-members" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#overwrite-local-group-members" aria-label="Anchor">#</a> </span> </h3> <p>When you wan&rsquo;t take full control over a local group, you can choose the &ldquo;Members of this group&rdquo; option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.</p>