This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 42%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
The delegation of GPO management in an externally trusted domain was impacted by the introduction of the UNC hardening documented here (three sources provided):
Please consider the following scenario:
In order to successfully implement this particular delegation scenario, it seems that the admin workstations in domain A need to run with a NetworkProvider policy of RequireMutualAuthentication=0. This would allow usage of NTLM to succeed when GPMC (on a Windows 10 workstation in domain A) connects to SYSVOL in domain B. The policy appears to be a weaker security posture for those workstations.
What is the best configuration of UNC hardening to use in this scenario such that all other UNC paths accessed by the admin workstations run with the default security parameters?
Are there any other suggestions for implementing the desired delegation scenario which do not weaken the security of an admin workstation?
Thanks,
DaveC
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @DaveC ,
Thank you for posting here.
We are researching it, and if there is any update, we will reply you here.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
Hello @DaveC ,
Thank you for your patience.
After my research, for external trust, there is some conditions for Kerberos to be used.
Table 1 External vs. Forest Trusts
Conditions for Kerberos to be used over an External Trust
https://learn.microsoft.com/en-us/archive/blogs/activedirectoryua/conditions-for-kerberos-to-be-used-over-an-external-trust
Technologies for Federating Multiple Forests
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/dd560679(v=ws.10)?redirectedfrom=MSDN
Q:Are there any other suggestions for implementing the desired delegation scenario which do not weaken the security of an admin workstation?
Suggestion: A forest trust enables a transitive trust between all of the domains in two forests. Microsoft recommends a forest trust be created between forests rather than an external trust. A forest trust ensures that Kerberos is used whenever possible. Kerberos provides better security and scalability over NTLM.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
@Daisy Zhou Thank you for the research and your reply. As best I can determine the external trust in this environment meets those requirements, but my tests over both SMB and LDAP always negotiate NTLM.
This is not critical and we are reviewing a conversion to forest trust. I'll point out that it's a bit odd/frustrating to try and implement a more secure privilege delegation model, but be hampered by a different security-related feature :)
-DaveC