Why I as a member of domain users group can not access shared folder of non-domain PC? RRS feed

  • Question

  • According to NTFS permissions for that share on non-domain PC, there is a "full control" granted to group USERS which includes NT AUTHORITY\Authenticated users. As far as I understand, if I am a member of a domain users group than I have the right to access that folder even on out-of-domain PC if "NT AUTHORITY\Authenticated users" included in ACL for this folder.

    And if not all domain accounts can access such a folder than how to define what domain accounts can access the shared folder on non-domain PC if NT AUTHORITY\Authenticated users is included in ACL for that folder?


    Thursday, February 17, 2011 10:52 AM

All replies

  • Ok you have the NTFS permission in check but what about the sharing permissions. Because the least permissive takes precedence.

    So you have to have shared permissions as well.

    In addition you might need to try the everyone group for NTFS permissions and the shared permissions. take it from there, and start limiting those permissions until you lose access. You can also clear the permissions and re-add them.

    Please do not forget to select the best answer if it helps you! The Ultimate computer newbie guide since the discovery of spoon feeding! The Computer Manual dot Com
    Thursday, February 17, 2011 2:45 PM
  • As I understand you have a fileserver which is not domain integrated and you want to acces the shares from within the domain?

    "Authenticated users" refers to the users that could be authenticated in the current context(whose name is known and the password correct). A non-domain joined computer will never be able to authenticate domain users because the authentication context is not the domain, but the local computer.

    So you will have to authenticate first to the fileserver. This can be doen using a local (on the fileserver) account that has permissions to access the share. You can use the "map network drive" GUI functionailty or "net use" command and specify alternate credentials.

    Another method, which I would not recommend, is creating a local user with same name and password as on teh domain locally on the fileserver. in that way users should be able to authenticate transparantly.

    I think in you scenario, you bets consider to add the server to the domain in order to make easy authentication possible.


    edit: think of the scenario in another way; if your assumption was correct, any user from any domain would be able to access restricted file shares on any non-domain joined pc.... sounds to me as a security hole as large as the moon!

    Thursday, February 17, 2011 3:08 PM