Introduction

After applying Group Policy changes that restrict NTLM authentication (such as Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers), users and services may lose access to SMB file shares. This is because older clients, cross-domain access, and workgroup configurations rely on NTLM for authentication. When NTLM is blocked and Kerberos is not available, all SMB connections fail with access denied errors.

Symptoms

  • net use \\server\share returns System error 5 has occurred. Access is denied
  • File Explorer shows Windows cannot access \\server\share with error code 0x80070005
  • Event Viewer shows Event ID 5145: A network share object was accessed unsuccessfully
  • Access works from domain-joined machines but fails from workgroup computers
  • SQL Server backup to network share fails with access denied

Common Causes

  • Group Policy set to Deny all for outgoing NTLM traffic
  • Client not domain-joined, unable to use Kerberos authentication
  • NTLM audit mode recently enabled but not yet transitioned to enforcement
  • SMB signing requirements conflicting with older client capabilities
  • Computer account password out of sync breaking Kerberos fallback

Step-by-Step Fix

  1. 1.Check current NTLM policy settings:
  2. 2.```powershell
  3. 3.# Check local security policy
  4. 4.secedit /export /cfg C:\temp\secpol.cfg
  5. 5.Select-String -Path C:\temp\secpol.cfg -Pattern "RestrictNTLM"
  6. 6.`
  7. 7.Identify the failing authentication method:
  8. 8.```powershell
  9. 9.# Enable NTLM auditing to see what is being blocked
  10. 10.# GPO: Network security: Restrict NTLM: Audit NTLM authentication in this domain
  11. 11.# Check Event ID 8002 and 8003 in Security log
  12. 12.Get-WinEvent -FilterHashtable @{LogName='Security'; ID=8002} -MaxEvents 10
  13. 13.`
  14. 14.Add exceptions for specific servers:
  15. 15.```powershell
  16. 16.# In Group Policy Editor (gpedit.msc):
  17. 17.# Computer Configuration > Windows Settings > Security Settings >
  18. 18.# Local Policies > Security Options >
  19. 19.# Network security: Restrict NTLM: Add remote server exceptions for NTLM
  20. 20.# Add the FQDNs of servers that require NTLM
  21. 21.`
  22. 22.Revert NTLM policy temporarily to restore access:
  23. 23.```powershell
  24. 24.# Set to "Allow all" temporarily
  25. 25.# GPO: Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = "Allow all"
  26. 26.gpupdate /force
  27. 27.`
  28. 28.Ensure Kerberos is working as the primary authentication method:
  29. 29.```powershell
  30. 30.# Test Kerberos ticket acquisition
  31. 31.klist get cifs/server.domain.com
  32. 32.klist tickets
  33. 33.# Verify SPN is registered
  34. 34.setspn -L server$
  35. 35.`
  36. 36.Verify SMB connectivity after policy adjustment:
  37. 37.```powershell
  38. 38.net use \\server\share /user:DOMAIN\username
  39. 39.Test-Path \\server\share
  40. 40.Get-SmbConnection -ServerName server
  41. 41.`

Prevention

  • Enable NTLM audit mode for 2-4 weeks before enforcing restrictions
  • Maintain an inventory of all servers and services that use NTLM authentication
  • Test Group Policy changes in a staging environment before domain-wide deployment
  • Configure SMB encryption for sensitive shares as an alternative security layer
  • Use Get-SmbMapping to audit active SMB connections before changing policies