Improve company productivity with a Business Account.Sign Up


Network Access to Shares is Too Persistent

Posted on 2000-02-22
Medium Priority
Last Modified: 2013-12-28
Using   Windows NT Explorer   to ramble through   Network Neighborhood   I can access shares created on various systems.  For some shares I need to go through the   Enter Network Password   dialog.  If I gain access this way there does not appear to be a way to terminate the access, i.e. subsequent times that I logon to the local machine I will have access to the shares that I logged in to previously.  (This is different from mapping a drive letter where I can use   Disconnect Network Drive...  to sever the connection.)  How can I break this connection so that another network logon is required?
Question by:unlikelyloginname
  • 2
  • 2
  • 2
  • +1

Accepted Solution

shibu020500 earned 600 total points
ID: 2547096
Hi Unlikely,
            If u do not want to get the shares of a PC which u got after going thru this "Enter Network Password" Dialog box, u can go to the command prompt and type in
 u would see a list of shares and the drive letters mapped to it
 Out of that u can see \\machine_name\IPC$ entry which is enabling this access to the the shared resource of the PC to which u haven't mapped any drive letter.
U can delete this by using this command..
NET USE \\mach_name\IPC$ /delete
which would end the session and prompt u for a username and password next time u try to access the share.
If u want to remove all the shares u can use
NET USE * /delete
u could probably put it in a batch file to easen the job:-)
These connections are for a short period and are called deviceless connections.

             Good Luck
LVL 63

Expert Comment

ID: 2547230
Once you have accessed a share , the password is stored locally. So the next time you access it, you may not be required to enter a password. You could delete the *.pwl file if you want. Normally in the windows dir.
I hope this helps.
LVL 23

Expert Comment

by:Tim Holman
ID: 2549943
Windows NT Explorer will map shares persistently.
The only way to change this is to unmap the shares (net use /d) or remove the persistent status of the share via the registry.
Why do you want to 'break' the connection ?
Are you using the same username and password to logon ?
This all sounds like default behaviour to me.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.


Author Comment

ID: 2551071
Curiouser and curiouser.

The client side shows a connection to   \\MyMachine\IPC$   when the share is in use.  It reconnects automatically after being broken with   NET USE \\MyMachine\IPC$ /d .  (Or after being disconnected by the server side using Server Administrator.)  I want to prevent automatic reconnection without forcing another network login.

There are several reasons that I'm mucking with this:

Curiosity.  Who is keeping track of the access that was granted long ago?  Is it hiding in the registry by SID?

A concern about security.  I deleted a share to which the client machine had access and later created a new share with the same name.  The client had access to the new share without performing a network login.  As an old (Eh?) system manager I would like to be able to look at the list of things that are "preauthorized", whether or not they currently exist, so that I can avoid creating something that I think is protected only to find that some old certificate somewhere is still valid.

The ability to tidy up loose ends.  I have made the mistake of using the browser, and a network login, rather than mapping a drive in order to help someone get a file.  Disconnecting a mapped drive is easy, but I can't seem to disable access that was obtained while browsing.
LVL 23

Expert Comment

by:Tim Holman
ID: 2551193
IPC$ connections are normal - they represent accesses to files that don't have a drive mapped to them.
So - if you're browsing through explorer, you'll get IPC connections for each seperate server you browse.
Even if you've already got a drive mapped to that server.

What's happening here should not affect security.

That boils down to NTFS permissions - if they're secure and in place, nothing can get past them (at least from a user's point of view :) ).

An IPC connection will be made to ALL servers the worksation access (including the PDC or BDC whenever they log on).

It seems a little mysterious that deleting a shared directory and recreating it retains NTFS permissions, as they're attached to the directory itself.

Are you sure this is the case ?

If you just delete the SHARE, then this would happen.  If you delete the SHARE+DIRECTORY, it shouldn't !

You have to make sure you apply NTFS permissions BEFORE you share the directory.

Hope this helps.


Expert Comment

ID: 2554401
Hi ,
    It seems to me my answer didn't satisfy you :-) . Anyway that was the answer to your query. Once using net use u r disconnecting a share , when u attempt to reconnect it would defenitely ask for a username and password ( only if the SID which u have used to login to the client PC is not present in the server)

U can check the status of ur share ( all shares to which u r connected )
using NET  USE command ...For the disconnected share it would be DISCONNECTED else OK

Now coming to the shares , When u share anything , the Computer Browser Service just broadcast the information throughout the network . This is  why u can see ur server shares from a client PC.
When a user Logs in , the NETLOGON service and Local Security Authority of the Server would verifying the user's info in the Security Accounts Manager Database . If his info is present he would be allowed to Login.

Coming to accessing resources ,the user would be given KEYS to the SHARES to which he is permitted to access. This you configure in the shares
Ex: DATA folder is shared .( remember , in NT by default it is Everyone Fullcontrol) . Since it is shared it's info would be broadcasted on the Network. And users like you and me see it from the NetNeighborhood. When u double click or try to access the share your SID passed on to the server to check whether (1) your account is present in the SAM database and (2) you have been permitted to access ( Default --> FullControl) , if yes u can see the contents and perform other operations.
Now if I stop the sharing and delete the folder and create another folder with a different name but SHARE it with the SAME name , naturally it would appear in Netneighborhood and when you access it ,ur Username would be checked as mentioned before and if accepted would be allowed to access.

To avoid such things share a folder only for those users who are meant to access it, remove the default ( Everyone--FullControl)Also as Tim Holman mentioned u can use NTFS permissions which again , by default, allows everyone.

  In brief , there is nothing in sharenames ,it is the accesslist which is associated with a share  more important.

  I believe this might have clarified most of your doubts
                  Good Luck

Author Comment

ID: 2554926
It seems that I missed a fundamental feature of "security" in Windows NT.  Share permissions don't apply if the client user's username and password happen to match an account on the system offering the share.

When setting file protections there is always the feature of having to remember to include access for   Me   and   Domain\Me .  I assumed that being schizophrenic, or at least plural, would extend to shares.  If the share permission allows access to anyone authenticated as   Svengali   on the serving machine then they must explicitly ask the server to authenticate them.  In fact, if the client happens to be   Svengali   on their machine, and the passwords match, then access is granted implicitly.

Sorry that it took so long for this to sink in.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Read this tutorial to learn how to fix repeating password error prompts when setting up Gmail IMAP with Microsoft Outlook. The entire process is described with step by step, illustrated instructions. Enjoy...
This is a comprehensive review of a bundled Toolkit designed for use by IT Professionals and End Users to help Microsoft Outlook fans manipulate Outlook files and repair some common problems. Enjoy...
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question