Group Policy to prevent non-AD machines accessing AD resources?


  • We're new at AD (government!) and we're slowly converting our non-AD servers and workstations to AD.  Our administrator recently made a broad set of policy changes, one of which resulted in an account on a non-AD server being unable to access an AD-controlled share.  That account runs a service with cached credentials for an AD account that has access to that share through AD.  Until those changes, the service was able to do its work on the AD share with no problems.  Does anyone know what policy controls that kind of access?  We'd like to change that specific policy while enabling the rest of the changes.

    Let me describe this situation again to clear up what I'm asking.  Server A is in our AD domain.  Share 'A\files' is a share on server A that contains the files we want to access.  Server B is not in our AD domain, but is on the same network, and the two machines are on the same subnet.  We have an account "fileaccess" in our AD domain that has read/write access to the share "A\files".  We have an account ("accessor") on server B that a service runs under.  In the credentials vault for account "accessor", we have the credentials for "fileaccess" stored.  Before the group policy changes, the service running on server B under account "accessor" was successfully able to do a "net use" with the credentials for "fileaccess" to access the share on server A.  After the policy changes, access was denied.  Our administrator claims this was because one of the policies prohibits non-AD machines having access to AD resources.  The question is, what policy is that?

    Thanks for any help!

    Tuesday, August 18, 2015 9:01 PM

All replies

  • what's the error message says when you access the share? Only "access was denied"?

    I don't aware of any policy settings can do this if you are sure they are on the same network. Please try to use FQDN instead, for example, \\\files, and see if it works.


    Monday, August 24, 2015 10:09 AM
  • Look at your GPOs that apply to 'Server A' and see if the following policy is set:

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny access to this computer from the network

    Thursday, September 3, 2015 10:29 AM