locked
Can't connect to workgroup from domain RRS feed

  • Question

  • I have a small domain and also a Win7 and a Vista machine each in a workgroup. I'm unable to connect to C$ or Admin$ on the workgroup machine from any of the domain machines. I'm using an account on the workgroup machine using an account that's in the local admin group using hostname\username format (also tried username@hostname). File and Print Sharing is enabled and I even tried turning off the firewall but that didn't help. I can ping them, I just can't connect to C$ or Admin$. I've tried connecting to both \\hostname\C$ and \\IPaddress\C$.

    Jonathan

    Friday, January 27, 2012 10:24 PM

Answers

  • I found the problem! UAC on Vista/Win7 changes incoming network connections to User level even if the account has admin priveleges on the machine. Adding this reg key and setting the value to one changes that. I can now connect with no problem!

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

    • Marked as answer by WinSvrAdmin Wednesday, February 1, 2012 4:35 AM
    Wednesday, February 1, 2012 4:35 AM

All replies

  • Try this 

    http://www.winsupersite.com/article/windows-7/windows-7-feature-focus-homegroup

    or

    Click on the start menu and type secpol.msc in the search box. Browse to "Local Policies" => "Security Options". 

    Search the option as "Network Security: LAN Manager authentication level" make double click to open it. Click on the dropdown menu and choose "Send LM & NTLM - use NTLMv2 session security if negotiated". Now Apply the configured settings.

    In the setting of Advanced sharing, Page of Network and sharing center, you need to have it set as Work/Home profile and follow some guidelines and try out this :

    -Enable network discovery
    -Turn on file and print sharing
    -Turn off password protected sharing
    -Use user accounts and passwords to connect to other computers

    Another settings like encryption that I have set as use 128 bit encryption.
    and check the related policies with the following way :

    1. Type “gpedit.msc” in the Start=>Search box.
    2. Browse “Computer Configuration”/Windows Settings/Security Settings/Local Policies/Security Settings.
    3. In the right pane, enable the following policies:

    Network access: Allow anonymous SID/name translation
    Network access: Let Everyone permissions apply to anonymous users


    Regards, Kalyan.
    Monday, January 30, 2012 9:12 AM
  • All systems, both domain and workgroup have LAN Manager authentication level set to Use NTLMv2 only, deny LM & NTLM. Since all clients run Vista or Win7, this should not be a problem.

    As for the Network access settings, I have those set to Disabled as I think setting them otherwise is not good security policy. And it doesn't interfere with access between the domain systems, I don't see why that should interfere with the workgroup systems.

    Jonathan

     

    Monday, January 30, 2012 8:22 PM
  • I think you may need to enable this rule "Remote administration exception"

     

    netsh firewall set service type = remoteadmin mode = enable

     

    http://technet.microsoft.com/en-us/library/cc738900(WS.10).aspx


    • Edited by Brano Lukic Monday, January 30, 2012 10:11 PM
    Monday, January 30, 2012 10:07 PM
  • I think you may need to enable this rule "Remote administration exception"

     

    netsh firewall set service type = remoteadmin mode = enable

     

    http://technet.microsoft.com/en-us/library/cc738900(WS.10).aspx



    Tried it, didn't help. BTW, on my domain PC's remote admin is disabled though I can still do what I want with them remote.

    So there is something else on these workgroup systems that is preventing me from connecting to \\hostname\C$.

    Jonathan

    Monday, January 30, 2012 11:44 PM
  • I found the problem! UAC on Vista/Win7 changes incoming network connections to User level even if the account has admin priveleges on the machine. Adding this reg key and setting the value to one changes that. I can now connect with no problem!

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

    • Marked as answer by WinSvrAdmin Wednesday, February 1, 2012 4:35 AM
    Wednesday, February 1, 2012 4:35 AM
  • This access denied attempting to authenticate from domain servers or PCs to workgroup (especially the infrequent Windows Home editions) has been so frustrating. Thanks for posting this answer!  You don't even need to reboot. 
    Friday, January 31, 2014 2:15 AM