Announcement

Collapse
No announcement yet.

Access to domain resources by guest are allowed without authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access to domain resources by guest are allowed without authentication

    Hi

    In the past, whenever a guest computer has connected to our network and the user logged on via their local account, if they accessed our data server (or any other resource), they would be prompted for a domain user account name and password.

    I am setting up a laptop and have not yet joined it to the domain. I accessed our data server to install some applications and was allowed straight onto the server without the authorisation prompt. The permissions on the shares apply - the local account I am using is locked out of 99% of those (the other shares are deliberately wide open). The only thing I can think of that is different compared to the last time I did this is that our Win 2k3 DC has been demoted and the domain and forest functional levels were raised to 2008. The local account name I am using is the same as my domain user account name, but my password is different and in my experience the connection will be made as computer-name\blood and not domain-name\blood.

    Does anyone have any ideas why this might have happened, please? When I do a search for this the only info I can see is enabling anonymous access, or denying access to a computer. Does anyone know how I can ensure the machines prompt unknown accounts for a domain user account name/password?

    Thanks
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    It will be a permission issue I would reckon.

    What are the share and NTFS permission you have set?

    Comment


    • #3
      Thanks for replying.

      I've not looked at these for some time - the drive that contains the data has the following permissions set at the root: Authenticated Users = Write and Administrator = Full Control

      The individual shares and the folder security do not inherit these permissions so they are set as needed.

      I'm just perplexed why the server itself is suddenly accessible without prompting for domain credentials.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Doesn't really answer the question.

        What exactly are you accessing?

        Have you accessed the server previously with that machine?

        What are the permissions on the folder that they are accessing?

        On another note is the guest account enabled?

        Comment


        • #5
          OK
          I am not talking about accessing a share, I am talking about accessing a computer.
          This is the first time I have used this laptop on our network (the laptop is new).
          N/A - these function as they should.
          Guest account is disabled.

          I logon to the new laptop using a local account: laptop\blood
          I open Computer and type \\server-name in the address bar and press Enter.
          All the shares are displayed.

          However, I have just been installing new software on a laptop we have been using for several years that is not joined to the domain and when I typed \\server-name I was prompted for my domain credentials before the shares were displayed. I guess there's something different - but what it is I have no idea. Both laptops run Windows 7 Pro, and both are up to date.

          Thanks again for your response.
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Ok now I understand, sorry i'm a tad slow in my old age

            I'm pretty sure this is how I've always been able to access shares via a client, it should prompt for your credentials when you try and access the share.

            Comment


            • #7
              Thanks - I'm stumped as to what might be responsible for this.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Originally posted by wullieb1 View Post
                I'm pretty sure this is how I've always been able to access shares via a client, it should prompt for your credentials when you try and access the share.
                Since I'm very often connecting to servers on client networks with my machine, I can tell you that I usually get prompted for username and password before I can enumerate the shares.

                Here's some info on how this is controlled:
                https://technet.microsoft.com/en-us/...=ws.10%29.aspx
                https://technet.microsoft.com/en-us/...=ws.10%29.aspx
                http://windowsitpro.com/windows-serv...ation-policies
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Thanks very much, Jeremy. I will read through those tomorrow.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Add the User Credentials of the laptop user to the Server you are trying to access. This should give you a type of "pass-through" authentication so they won't get asked for again. (Of course I may have misunderstood your issue)
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Thanks to both of you for that. I am guessing that Jeremy's suggestion about the anonymous enumeration policy will affect all anonymous connections but I see just one non-domain account being able to display the shares on a server whilst all others don't (the latter being the preferred action). The policies are 'not configured' in our domain.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        Originally posted by JeremyW View Post
                        Since I'm very often connecting to servers on client networks with my machine, I can tell you that I usually get prompted for username and password before I can enumerate the shares.

                        Here's some info on how this is controlled:
                        https://technet.microsoft.com/en-us/...=ws.10%29.aspx
                        https://technet.microsoft.com/en-us/...=ws.10%29.aspx
                        http://windowsitpro.com/windows-serv...ation-policies
                        Its been a long long time since I've needed to browse a domain on a non domain PC so thanks for digging this out.

                        Time to refresh the skills I think

                        Comment


                        • #13
                          I created a new local user account on the laptop and when I accessed our data server it prompted for domain credentials. This is weird. I follow the same procedure when setting up laptops/desktops and the first local account I create is my own which has the same name as my domain account. This is the first machine I have set up where accessing the data server under my local account I was not prompted for my domain credentials.
                          A recent poll suggests that 6 out of 7 dwarfs are not happy

                          Comment


                          • #14
                            Did you enter the user credentials on the laptop with domain\username ?
                            1 1 was a racehorse.
                            2 2 was 1 2.
                            1 1 1 1 race 1 day,
                            2 2 1 1 2

                            Comment


                            • #15
                              Originally posted by biggles77 View Post
                              Did you enter the user credentials on the laptop with domain\username ?
                              No. This is what is weird. The laptop has not been joined to the domain so I logon to the laptop as laptopname\blood and when I access our data server the shares are visible.
                              A recent poll suggests that 6 out of 7 dwarfs are not happy

                              Comment

                              Working...
                              X