Rights using RAS

Can someone explain to me how the accounts and user rights work when using RAS?

I have an NT 4 Server running RAS.  I want to be able to have a client call this computer and be able to log on and gain access to only a single directory on the server.  No other services should be available to this client form my server unless I specifically grant them.

I would create that directory on my server in advance and give it a share name.  I would create a user on my server and would assign a user name and password.

The usual client would be a Win 95 machine and would probably be part of another workgroup or domain.  I won't have access to the client username or password that was used to gain access to his workgroup or domain.  The client should use the user name and password I have created on my server.

I would guess there are different ways to accomplish this, so I'd like to know all the ramifications of the various options.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You would create and define the shares on your server just as you have stated.  You would also have to install RAS on your server (you can install RAS from the control panel)  You want to make sure you answer "This Computer" for traffic (broadcast) segmentation.  Using Remote Access Admin (under Administrative Tools Group) under User menu, grant the permission to dial in to the appropriate users.

On the Client side (win95) Dial-up Networking will need to be installed.  The Dial-up server type should be set for PPP Windows NT, Windows 95.  

Some additional notes that may help with problems you may encounter:  There is a registry setting you can change on the server that will enable the server to broadcast NetBIOS names to IPX dial-in clients.  At the server update HKEY_LOCAL_MACHINE  System - CurrentControlSet - Services - NwlnkIpx - Parameters

Value:  DisableDialinNetBIOS  Change from 1 to 0

Also, watch for the ability to enable dial-in NetBIOS durning the Wizard-based installation of RAS - answer YES

Finally, you could setup a Policy for the RAS Server:

CATEGORY "Remote Access Service"
  POLICY "Allow NWLink dial-in connections by
                 broadcasting NetBIOS names";  (type on 1 line)
  KEYNAME System\CurrentControlSet\Services\
           NwlnkIpx\Parameters; (all on 1 line & note nw-L-nk-I-px)
      VALUENAME DisableDialinNetbios
barthollisAuthor Commented:
I'm sorry, perhaps I wasn't clear enough with my request.

I already have RAS running on my server, The clients already have Win95 and Dialup Networking on their machines.

When they log on to their domain or workgroup, they use a name and password that is unknown to me.  In fact, I don't even know the name of the domain or work group.

I have created a domain user, with dial in permission on my server.  Of course that name/password is different than the one they used on their machine.

When they dial in to my server, they fill in the name and password I gave them when they dial.  Upon connection, they are presented with a log on dialog box asking for a password.  No matter what they enter, they do not gain access to my system.

The only way I have found to make it work is to have them log on to their workstation using the name/password I have given them.  This, of course creates security problems at their end as I now have access to their system.

What I really want to know is how to get them to be able to log on to my system regardless of the user name/password they used to get onto theirs.

Then, I would like to know how to restrict them to just certain services.  Best bet would be they couldn't even see anything else.  Kinda like Netware <g>.

I want to thank you for the effort you have put into this request so far.  Although I think reject is a slightly strong word, and I certainly appreciate your efforts to this point, I am going to reject this answer to allow others access.
barthollisAuthor Commented:
Adjusted points to 150
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

barthollisAuthor Commented:
Adjusted points to 200
barthollisAuthor Commented:
Adjusted points to 400
I can think of a couple more things you can look at.  On the client end (win 95) check the security settings on dial up network.  There are 3 levels of security - if you choose the NT authentication, I believe it will expect that workstation to be either a member of your domain or of a trusted domain.  Since it is not, choose one of the other options.  

On your server, did you use the Remote Access Administrator to give the dial-up user access to the machine?  If so, then you can setup shares that will allow the user to see and access only what you want them to see.  Hope this helps more than my first try.
barthollisAuthor Commented:
Thanks for your response.

I'll have to check the Win boxes security settings.  I don't know what they are.

On the server: I did give the user dial in rights.

I pulled the cable from one of my Win boxes, hooked it to the phone line and tried some things.  Seems like if I give the user admin rights, it works as expected.  He can get everything.  If I create a group called RASUser for instance, When I dial in, the server says I have Guest permissions.  I THOUGHT I disabled the guest account!  I can see everything although I can't do everything.  I'd like the RASUser to be able to see only the shares I have specifically allowed.

The thing that is most important to me right now is this:  I want to have a user (BOB) be able to dial up my server and have full access to G:\BOB (a subdirectory on G: of my server.)  I create a subdirectory call BOB.  I create a share called BOBDIR, give full permissions to BOB and take out the Everyone permissions.  I create a user called BOB, and grant Dial in rights.  BOB also has to see the root of G:, right?  BOB should not be able to see anything else, right?
So far it sounds good.  When your user(Bob) dials into your machine, he should use the ID/password (bob/whatever) as is defined on your machine.  Make sure that the domain name on his machine is set for your server.  Once Bob successfully logs on, he will need to create a map to the share you defined (BOBDIR).  Once the user is logged on, have them right click on My Computer and select "Map Network Drive".  The drive letter should not matter.  In the path have them type:  \\Your-Server\BOBDIR  then click ok.  If you get an error, try the same thing, but in the Connect As box add the following:  Your-Server\BOB

Hope this helps
barthollisAuthor Commented:
So far so good.  What if BOBs computer is part of a domain already.  I mean what if he's calling from work and already part of a domain there?

And how come he gets to use the guest account on my server when I have it disabled?
It doesn't matter if BOBs computer is part of another domain or a standalone.  When he uses RAS to login to your server he is basically just creating a map to another machine using a connect as.  Basically the workstation will be logged into BOBs domain (his normal work domain) and will have a drive mapped to your share (BOBDIR) connected as BOB (a member of your domain).

If you've disabled the guest account using User Manager for Domains on your server, I'm at a loss as to how BOB can connect to it using that ID.  Try and verify that he is using the guest account as defined in your domain by either renaming the guest id or giving it a password only you know - then try loging on with that ID again.
The guest account does not ordinarily have a password, you should avoid giving this account dial-in permissions (which wil be given if you select to give all users dial-in permissions - a pain in NT as you can choose all, none or manually go through and select individual users).  If you intend to grant guest dial-in access, either strictly restrict permissions assigned to this account ir asign a password.  But again, you should not give it dial-in permissions.

UNLESS - You want to do what you have stated.  Give the guest account access to the directory(ies) which you wish.  You can do this with the User Manager for Domains and revoke all permissions from the guest and then add only the permisions necessary to gain access to that directory - which is pretty easy, create the directory and assign it rights to the guest and yourself or the group which you wish to access internally.

Here is a supporting word from Microsoft:

Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.

To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.


NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.

•A Windows NT RAS client dials into a Windows NT Advanced Server RAS server. •The client supplies "Joe" for the account and "MS" for the password. •RAS Server does not have an account for "Joe." •The client fails authentication and is prompted for a new account and password.


RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.

A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.
barthollisAuthor Commented:
I have received partial answers to my questions.  That's why I haven't accepted an answer yet.  I have also spent about 7 hours trying different things.  I have narrowed my question down to just one thing now.

Is there a way to force my server to recognize the user/password combination used in DUN if it is different from the logon user/password?

Here's the scene.
A user logs into his computer running Win 95, using a user name of "George" and a password of "Password".  He is allowed access to his domain of "Whatever" and can operate normally.

He calls up DUN on his machine, enters a user name of "Bob" with a password of "Secret" and the domain of "Remote" (which is my domain name).

I have created a user of "Bob", assinged a password of "Secret", granted dialin rights, and have set permissions on the shares I want him to be able to access.

When the connection is made, my server verifys and accepts "Bob" as a user and logs him onto the system.

However, when the user attempts to use any services, such as mapping a drive, he is unable to do so and is presented with a dialog box asking for a password.

It seems that his machine is presenting his original user name, "George" and the password, "Password" at this time.

If I ask for his original user name so I can set up a user on my machine for him, we have commited a 50% security breach of his system.

Do I have to live with this?  Or, is there a way to have his machine send the DUN user/password to my machine during a request?

barthollisAuthor Commented:

I still don't understand this situation.  Are there two login names being used?

Yes you have to live with this.  MS Authentication is based on how the user logs into his system, and will automatically try to mount shares based on the users WINDOWS username and password.  If they are not the correct password for your server the user will then be prompted for an alternative password.

The only resolution for this is to ask for the username of the user connecting to your server, assign that user a unique password and then allow the user to change the password to whatever he or she would like.  You will no longer know the password to the users account but I dont think you will consider this a problem considering your sitution.

I have used this solution for several other NT server admins that did not want their personal passwords general knowledge, but I still wanted them to be able to dial up my server.

My one suggestion is if you are going to have accounts that do not trust you to know the password for them, is to lock their user accounts to their computer.  Ie. only allow them to log in from certian workstations.

I am the server admin for several hundred users that have laptops that dial into my server and upload data on a daily basis.  In order to improve security I have made it so that each user has their own directory on the server and that inorder to log onto the server the user can only be logged onto their laptop.  SO besides just the username and password they also have to be on the right computer.

To limit the dial in users to only access certian services, you must use the user manager and edit the group that they are in so they are limited to what you want them limited to.  Then remove that access to all other compentents in your system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
barthollisAuthor Commented:

Not the answer I was hoping for, but plain, simple and accurate non-the-less.

One final point.  You say: "and will automatically try to mount shares based on the users WINDOWS username and password. If they are not the correct password for your server the user will then be prompted for an alternative password."

Why does a valid user/password not allow access at that time.  I mean if the user enters a user name and password other than that used to log onto his computer, why won't my server use the information he enters at this prompt?

The idea of restricting the log in computer will certainly help.

Thank you all for your efforts with my problem.

I am accepting skymans answer as if fits my needs within the limits of the operating system.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.