I have a folder on my Windows Server 2003 that I'd like to share with all computers on the network, but I want to force people to input a password (at least initially) to connect to the share. I tried adding a password to the "Guest" account, but it never asks for a password. I've tried setting up a separate account with a password, but I get "Windows cannot access \server\" message. What's the best way to accomplish what I'm trying to do?
-
You need to make sure that the Everyone groups does not have permission on the share, because the Everyone groups really does include everyone, even unauthenticated users. Instead give permission to a specific user or group to force authentication to the folder.
From Catherine MacInnes -
We would set the share permissions to Authenticated Users full and set proper NTFS permissions on the folders being accessed. Authenticated Users not Everyone. D'oh!
From Mitch -
(I am assuming you are doing this with a standalone server and clients that aren't members of a domain.)
Disable the "Guest" account on the server.
After you've done that, create an account on the server computer with the username / password that you want users to use.
Set the "Share Permissions" on the shared folder to "Everyone / Full Control" (assuming that you're sharing folders on an NTFS volume). There's no reason to use "Share Permissions" if the underlying filesystem is NTFS-- it will just complicate things. (If I could somehow influence Microsoft to do anything I'd have them remove this functionality.)
Modify the NTFS permission on the shared folder to allow the user you created above to have the type of access you require (Read, Full-Control, etc). (Don't name "Everyone" unless you mean "Everyone in the world".)
Finally, when you "connect" from the client computer and are prompted for credentials, be sure you enter the credential as "SERVERNAME\Username".
The behavior of Windows Explorer, in my experience, has been spotty. I'd try the following from a command-prompt on client computer just to be sure:
NET USE * \servername\sharename /USER:severname\username password
If that works, but Windows Explorer isn't prompting for credentials, you probably have credentials saved by Explorer that need to be cleared.
The "Guest" account's enabled / disabled status is interpreted by the OS as a "flag" that says "Allow unauthenticated users to connect..." versus "Do not allow authenticated users to connect..." (I am glossing over some details here, but this is basically true.)
Michael Kelley : I disabled the "Guest" account, and I removed the "Everyone" from the share permissions, but I still get "access denied". Do I have to have an account on the server that matches the account on the client accessing the share, or can I create a different account?Michael Kelley : Thanks for the detailed response! Unfortunately I never get the credential prompt from the client computers.Michael Kelley : And yes, the server is standalone and clients aren't members of a domain.Evan Anderson : I threw some more information into the post.wizard : The one reason behind the share permissions that I like entirly is the difference between "everyone" and "domain users".Evan Anderson : @wizard: There's no reason to set "Share Permissions" to anything but "Everyone / Full Control" on folders shared from NTFS volumes. What you're describing is going to cause problems if you later add a child-domain and want users in the child domain to access resources shared as you describe. Since the "Domain Users" group from the parent domain domain won't include users in the child domain access will be denied by your (perhaps well-intentioned but completely needless) share permission. (Confusing "Domain Users" and "Authenticated Users", as you are, is pretty common.)Michael Kelley : Thanks for the help - got it working, was having problems with Windows caching credentials!From Evan Anderson -
Hello,
I have a problem that resembles this one. The setup:
- a Windows 2003 server that has a share: \MyServer\MyShare that points to D:\MyShare
- a user/pass on the Win 2003 machine ("user"/"password"); I put this user in Sharing/Permissions with Full Control and in Security with Full Control as well
When I connect to this share from another computer, I DO get the login dialog, but it refuses my password. I type "user" (or "MyServer\user") + "password" and I get an error message:
\MyServer\MyShare is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied.
If I enable the Guest account (with no password), it works. If Guest has a password, I have the same problem.
I'm under the impression that: either
- the password is not "correctly" sent from the client to the server (e.g. not encrypted and it is expected encrypted, or something like this)
- or there is some policy setting or registry switch that blocks this
- or who knows what
Thanks in advance for any tips. Best regards, Cristian.
From Cristian
0 comments:
Post a Comment