Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 17, 2020 1:37 PM
Hi experts,
maybe I am getting to old to understand such a behaviour:
We have a single AD domain with several file and print servers, terminalserver and so on.
I have now created a Windows Server 2019 Test VM on Xenserver. This VM is not a member of this single domain but member of a new workgroup. While playing arround with that new VM I was looking at the network sourrounding and have found that I could access the shares of our file/print/terminal DFS Server/ even that this machine and its admin is not a member of that domain.
Why is this possible.
The access rights are according to MS standard, i.e access granted on share to everyone, but NTFS rights are only to domain admins or local admins and dedicated domain groups.
I thought, that I could access these shares only if I were promted to sign in with proper credentials.
On another Fileserver (also W2K8r2) on the same domain with network shares I am asked to sign in without seeing the network shares on this server. This is the expected behaviour.
Could someone shed some light in my black dumb brain?
BR Andreas
All replies (7)
Monday, January 20, 2020 10:25 AM âś…Answered
Please remove the user credentials from Credential Manager or restart the VM to do a test.I would suspect credential is automatically saved before.
If it still doesn't work, please change another user account to do a test.
Checked, no credentials were stored. As suggested, I have created a new user account with full local admin rights.
Result: No access to any network shares in our AD domain. This results has showed me a route to look into and the confirmation that this is a wrong behaviour of the security model of MS products
The local admin account of the terminalserver in question has the same username (administrator) and password as the test VM local account!
However, I would have expected that account
VMNAME1\administrator
is something different as
VMNAME123\administrator
So it is obvious that the login process on network shares accepts credentials from a different system and grants access as long as username and password is also applicable on the local machine.
This is not what I would expect but explains the result, therefore my question is answered.
Thank you for helping me to find the right way!
Friday, January 17, 2020 6:36 PM
Why is this possible.
Are you logged on with an account that has the same name and password on the target servers?
Is the guest account enabled on any server?
Saturday, January 18, 2020 11:38 AM
1. create account in your workgroup PC
2. Grant shared/security permission for that account.
3. Assign static IP for the workgroup PC
3. Add shared folder by saving credentials in credential manager
Check information given below,
https://etc.usf.edu/techease/win/files-sharing/how-do-i-connect-to-a-shared-folder-on-the-network/
Saturday, January 18, 2020 2:13 PM
1. create account in your workgroup PC
2. Grant shared/security permission for that account.
3. Assign static IP for the workgroup PC
3. Add shared folder by saving credentials in credential manager
I don't think that you read the question correctly. He's not asking for instructions on how to connect, he is able to connect and is asking why/how that is possible.
Your item #2 will not work. He cannot grant access to the DFS share to a local account on a different machine. That domain joined server has no way to authenticate the local account on the workgroup machine
What does assigning a static IP have to do with anything?
Monday, January 20, 2020 3:58 AM
Hi ,
>>I thought, that I could access these shares only if I were promted to sign in with proper credentials.
Yes, your thought is right. If we want to access there shares from workgroup member, we need to sign in with proper credentials.
Please remove the user credentials from Credential Manager or restart the VM to do a test.I would suspect credential is automatically saved before.
If it still doesn't work, please change another user account to do a test.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, January 20, 2020 9:12 AM
Are you logged on with an account that has the same name and password on the target servers?
Is the guest account enabled on any server?
No, on the new test VM I am logged in as user "localmachinename\administrator" with a total different password. There is never a guest account enabled.
Tuesday, January 21, 2020 1:34 AM
Hi ,
Thanks for your posting here and sharing.
If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]