none
Network shares don't prompt for credentials for local administrator

    Question

  • I recently installed Windows Server 2012 and setup several shared folders and seemed to have run into a problem. When I am logged into the local administrator account (Administrator) on a client computer and go to \\server it immediately opens Windows Explorer with all the shared folders listed and when I click on any of them it gives the error:

    Windows cannot access \\server\folder

    You do not have permissions to access \\server\folder. Contact your network administrator to request access.

    If I login to a domain account that has permission to one of the shared folders it goes right into the folder fine. I created a local standard user account named "test" and tried and it prompted for credentials immediately, like it should. It seems to only be the local administrator account that it will not prompt for credentials. 

    I was on Windows Server 2008 R2 previously and never had this issue from the local administrator account or any others. We often login to the administrator account on machines in offices to install software from these network shares so it would be nice to get this feature back. 

    Does anyone have any suggestions to why this is happening and how to fix it? I have spent the last couple days researching this and have tried many many things (changing security and share permissions, restarting services, checking network discovery and file sharing settings, restarting the server, and several other things) with no luck.

    Thanks in advance!

    Thursday, November 01, 2012 6:49 PM

Answers

  • I am not getting the same results you are in my testing, but this is likely because I disable default Administrator accounts in my test environment and use accounts that I create instead (this is an important security tactic, as the default accounts have some vulnerabilities in how they are created that can allow an attacker to break in with them). I suspect the problem is actually that your local administrator has the same *username* as the local or domain administrator account on the server. Basically, what's happening is the server is getting a login from Administrator and using the stored credentials of that administrator account to connect to the server. You may have some settings on your file shares that are allowing Administrator access to the root share, but when you attempt to access anything below that, it's blocking because it's using the wrong Administrator password than is expected. To test, change the username of your Local Administrator account or disable the default Domain Administrator account and try to access the server. If it works, you probably need to change the local administrator account on all your client machines (this is actually very easy to do with a GPO).
    • Marked as answer by VTsteve Wednesday, December 12, 2012 3:47 PM
    Tuesday, December 11, 2012 11:01 PM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

     
    Monday, November 05, 2012 7:47 AM
  • Hi,

    It's possible that credential is saved for the server connection. Remove existing credential to see what does happen.

    When local administrator is logging onto your client computer, open "Credential Manager" under Control Panel, remove all of existing Windows Credentials related the 2012 server.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, November 05, 2012 9:51 AM
  • Hello,

    I made some tests about your problem.

    I locally created a local account "user1" which is member of the local administrator group.

    If I try to access a shared folder on a server with user1, I'm prompted for a user name and a password.

    If I try with local administrator it's the same result as you. I immediatly go into the folder.

    The thing is that my local administrator has the same password that my domain\administrator account.

    If I change my local administrator password, I'm prompted for an authentication to access the shared folder.

    Is this your case ?

    Regards.

    Seb

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, November 05, 2012 9:59 AM
  • I checked Credentials Manager and I had nothing listed. I also tried connecting to \\server from a second computer (clean install of Windows 7) with the same results so I don't think this is the issue.

    My local administrator password on the client machines and the administrator password on my Server 2012 machine are different. I did just try logging into the local administrator account on one of the client machines and changed that password and then tried going to \\server again and it did prompt for credentials like it should. This is not a solution because I cannot change the administrator password every time I need to access these file shares (I also have technicians accessing these shares from the local administrator account).

    Thanks!

    -Steve

    Monday, November 05, 2012 2:03 PM
  • You'll have to change only once your local admin password and you won't have to change it every time you need to access the share.

    Regards.

    Seb. 

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, November 05, 2012 2:51 PM
  • If administrator's password on client is same as the password on server you will access, credential promopt does not shopw up, the behavior is same on Windows Server 2003, 2008 and R2.

    You only need to change either of administrator password.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, November 07, 2012 6:04 AM
  • The administrator passwords are different on both the clients and server I am connecting to. This problem is also happening when connecting from a Windows 8 client, not just Windows 7. Changing the administrator password on a client machine so I can access this 2012 server is not going to work because there are several technicians that share the administrator credentials for the client machines and need to access the shares on this server on a weekly basis. We have over 500 machines to manage so that is not a solution to our problem. I am at the point where I will probably be downgrading back to 2008 R2 since that was more reliable for us.

    Thursday, December 06, 2012 9:18 PM
  • Does the local administrator on client has same password with domain built-in administrator? You can create a new user account on client and add it to administrators group, check the result. Or you can rename local administrator on one of clients, try to access \\2012servername again.

    I done testing in my lab, if the administrator's password is not same on client and server, or different with domain built-in administrator, I always get credential prompt regardless of which servers I access, running 2003, 2008 or R2, and 2012. If the password is same, no credential promot pops up on all servers, including 2003, 2008 or R2, and 2012 server.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, December 08, 2012 3:46 AM
  • The local administrator password on the client machines are used no where else, my 2012 local administrator password and domain admin passwords are all different.

    I have created a new local account and added it to the administrators group and that will prompt for credentials, just the built-in administrator account will not. Since this worked fine under 2008 R2 with no problems, I would say it is either a bug or a feature of 2012 (depending how you look at it), so I will plan to move back to 2008 R2 in the coming days unless I find some way to fix this in the meantime without the need to change the administrator password every time on a client machine.

    I appreciate your help.

    Tuesday, December 11, 2012 9:57 PM
  • I am not getting the same results you are in my testing, but this is likely because I disable default Administrator accounts in my test environment and use accounts that I create instead (this is an important security tactic, as the default accounts have some vulnerabilities in how they are created that can allow an attacker to break in with them). I suspect the problem is actually that your local administrator has the same *username* as the local or domain administrator account on the server. Basically, what's happening is the server is getting a login from Administrator and using the stored credentials of that administrator account to connect to the server. You may have some settings on your file shares that are allowing Administrator access to the root share, but when you attempt to access anything below that, it's blocking because it's using the wrong Administrator password than is expected. To test, change the username of your Local Administrator account or disable the default Domain Administrator account and try to access the server. If it works, you probably need to change the local administrator account on all your client machines (this is actually very easy to do with a GPO).
    • Marked as answer by VTsteve Wednesday, December 12, 2012 3:47 PM
    Tuesday, December 11, 2012 11:01 PM
  • That did it, I renamed the Administrator account on the 2012 server to Administrator1 and the client machine prompted for credentials the next time I tried it from the local Administrator account.

    I am going to read up more on why not to use the local administrator account but for the time being it is working like it used to. 

    Thanks for all the help, I really appreciate it!

    Wednesday, December 12, 2012 8:52 PM
  • The main reason for disabling default administrator accounts is that "Administrator" is a well-known account name. This means that hackers will always use the username administrator first when they attempt to log in to a windows based network. Just changing the username isn't necessarily sufficient to prevent this, since the default administrator accounts also have a well known GUID assigned to them. It's less of a problem than having an account named Administrator, but if a hacker can obtain the domain or computer GUID prefix (which is randomly generated when the Domain is created for domain accounts or the OS is installed for local accounts) they can use the well known administrator and guest GUID suffix in combination with a third party utility to attempt access without having to know the actual name of the administrative account. Creating a new account generates a random GUID suffix for the account, which prevents unauthorized users from being able to determine which account is an administrative account when logging in with a GUID. One of the most important parts of hardening a Windows Server/Desktop is to rename, then disable the default administrator and guest accounts after creating a new administrative account and granting it the necessary privileges. (So's ya know)
    • Edited by acbrown2010 Wednesday, December 12, 2012 9:12 PM
    Wednesday, December 12, 2012 9:11 PM