We have a server with Windows Server 2008 Standard installed. We added users and user groups in order for other computers to have access to specific shared folders and files. Obviously, we've set some shared folders to be accessed by some users but not others.
It all worked well until some day. I don't know exactly what happened then. Now, the majority of times whenever I try to access one of my shared folders, I get the message You do not have permission to access \\server\foldr, even though I have been given access to the folder, both in the sharing permissions and the NTFS ones.
This happens equally to all the network users. Only the folders marked for access by Everyone can be accessed.
Another curious thing is that when I go to Computer Management\Shared Folders\Sessions on the server, my client computer is enlisted as GUEST, instead of the user's name, although the Guest property is set to No.
I've already tried resetting permissions on the folder, adding new users, changing credentials on the client computer... nothing seems to work. Do you know what seems to be the problem?
Edit: Follow-up to Dmitry's questions:
Security event 552 does not appear on the logs. Instead, I'm getting event 4776 stating that I have logged in with the "Guest" logon account.
Accessing \\server\c$ asks for my credentials, but either they're not accepted or I do not have permissions to access c$. I have experienced this already when trying to map a network drive to \\server\foldr with specific credentials, somehow my credentials are never accepted.
Turning off UAC didn't help.
The clients' PCs have a range of Windows OS's from XP to 7. My PC in particular has Win 7 RC.
2nd Edit: I disabled the Guest account and found out that my client PC's username is different from the username I was trying to use (I really thought that they were equal, but apparently I changed it when I formatted and reinstalled the OS). So now my question is: is there any way that I can access the shared folders while keeping the current usernames on both server and client computers?
-
Try to check your local security policy run secpol.msc->Local policies->Network access->Sharing and security model for local account. It should be set to classical.
djeidot : it was set to classic (local users authenticate as themselves)Dmitry Trukhanov : As I can understand all your computers are in the workgroup?djeidot : yes, they are. It is a local network.Dmitry Trukhanov : Is the server joined to a workgroup or may be it is joined to domain?djeidot : Workgroup, no domain.Dmitry Trukhanov : Hm, very strange. Have you checked local policy on the server or on the client PC? I understand that this is insane in workgroup mode, but try to run RSOP in logging mode on the server and check Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ policy. Also try to reset saved credentials on client's computer with something like tinyurl.com/7qepgdjeidot : with RSoP (on the server) all the settings are "Not Defined", but the "Sharing and security model" policy still shows "Classic" when you double-click it. I've reset credentials on the client: the server never asks for new credentials, it always shows the "Windows cannot access..." message. Unless I need to reboot or something...Dmitry Trukhanov : Hm, may be you can find something interesting in Event logs especially Security logs for events 552 - Login attempt with logon type 3. and all near eventsDmitry Trukhanov : Which OS runs your clients?Dmitry Trukhanov : Also my friend advised in this situation to try to switch off UAC on the serverDmitry Trukhanov : And if you try to connect \\server\c$ does it show you Account details dialog?djeidot : Thanks for the help, check out the updated question above.From Dmitry Trukhanov -
Just a thought but have you checked for a difference in time between the workstation you're on and the server you're trying to access? If the time is off for some reason or another it could cause issues in terms of accessibility.
djeidot : I have just checked it but it is correct.From JohnyD -
We have had similar problems with our network, and usually they point to a bork in the domain controller. Restarting the server that acts as a domain controller and then flushing the DNS caches in our client machines usually does the trick. After restarting your domain controller, from the command line (in all Windows OS's), you can try (in this order):
ipconfig -flushdns ipconfig -registerdns
From a different angle, when you log into your OS, are you logging into "yourlocalmachinename\yourlocalusername" or "yourdomain\yourdomainusername"? Try logging out and switching users to make sure you're in the right context.
djeidot : We do not have a domain, just a workgroup.From Josh -
I have strong feeling that you have changed something in local security policy. May be disabled NTLM, may be changed Log on locally or Deny log on locally policies. Please check if it was changed from its previous state when all worked fine.
From Dmitry Trukhanov -
From your answer to another post that you are using a Workgroup, the most likely problems are that the user/pswd are different or don't exist on the server, or the user/pswd is not being passed in the correct syntax. In a Workgroup Users are local to each machine, JSmith on the server is not the same as JSmith on the workstation.
A Domain solves both of these issues and has many other advantages if you have more than 4-5 workstations. This is the best solution.
Option 2 is to setup a username and pswd on the server. This can be 1 server user for each wkstn user, 1 server user for each user security group desired: Accounting, Sales, Marketing, etc, or 1 server user for all users. The server username & pswd may, but are not required, to match the username and pswd on the wkstns. Don't use any blank passwords.
Create a batch file on each machine to map the shares as a drive letter and force authentication on the server. Place the batch file in a C:\Admin folder, place a shortcut to the batch file in the All Users Startup folder to have it run on logon, set it to run minimized. The syntax is:
"Net Use X: \Server\Share /User:Server\User Password".
"Net Use /help" will provide more examples.
Net Use X: /del will remove the drive mapping for testing, it will not delete any data.
You can also test authentication against the server with the Net Use command. If the authentication fails with "incorrect user name or password" then either the syntax, username, password or some combination of all 3 are wrong.
Option #2 is not secure and not recommended but could work as a temporary solution.
djeidot : Yes, the problem was the different usernames in server and client, as I put it on my second edit. However, I tried to use your Option 2 and I could never map a network drive that way...Ed Fries : If Net Use isn't working then it's either the username/password combination, the syntax of the command or a firewall. If access/mapping works with Everyone/Full on the share then it's not a firewall issue. From your 2nd Edit, the username/password on the workstations don't matter, you only use the server username/pswd. You can logon to a wkstn1 as BJones but the cmd to map to the server would still be "net use X: \\server\Share /user:ServerName\ServerUser ServerPassword". If that doesn't work then take out the "ServerName\" and try .../User:Serveruser ServerPassword". Try from the server.Ed Fries : I don't have workgroup machines to test on, it's very possible the correct syntax is: Net Use X: \\server\share /user:ServerUserName ServerUserPassworddjeidot : OK, i got the "net use" option working, but it's just easier to change my computer's username. I'm going to consider switching to a domain. Thanks for the help!From Ed Fries -
i don't how to access share folder using user name and password
0 comments:
Post a Comment