Strange shared folder issue

I have a folder shared out on a Windows 2003 Enterprise Edition server.  The server is a member of a 2003 AD.  I can't say for sure if the server is in 2003 native mode, but I'm pretty sure it is.  I don't think it matters for this question though, but I'm not sure so I will give the info I have.

The share is set up as such:

Share Permissions:  "Everyone" group has Read permissions
NTFS Security Permissions:  "Administrators" inherit full control, "Everyone" group has been explicitly granted allow read & execute, list contents and read permissions.  Users inherit Read & Execute, List Contents and Read.  SYSTEM has full control.  Creator Owner is listed but is not explicitly granted any permissions (allow or deny).

There are no other entries in either the ACL or the Share permission setup.

When I am logged in as any domain user, I can access the share just fine by typing in \\server\share

However, if I log in as a local user account (the local administrator account on a machine for example), I am prompted for a password when accessing the share.

The "everyone" permissions are not inherited.  There is not Access Control Entry in the root of the drive for "everyone"...just in my shared folder.

I can get into the share once I put in any domain credentials, but I'm very confused by this..."Everyone" read permissions means EVERYONE can access it, right?  If I wanted to require authentication I would put in "Authenticated Users" or "Domain Users" or other domain security groups or users I want to grant access to.

I'm pretty familiar with file shares and NTFS security permissions, but I've never run into a situation where I was prompted for a password with "Everyone" in the access control list.  Anyone shine any light on this for me?
LVL 6
msluneckaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wingateslCommented:
This is working correctly, as a local computer user you have to authenticate to the domain when you connect. Even though share permissions say read for everyone, what do the NTFS permissions say for everyone? The easiest way to handle the permissions game is to give full control to everyone at the share level and then control the access at the ntfs level. Chances are you just need to put everyone in the ntfs acl and give them the level of access you desire. The reason I say to give full control to everyone at the share level, is now you only have to deal with NTFS, it becomes a lot less confusing
Shawn
0
msluneckaAuthor Commented:
Share permissions for Everyone are set at "read" and NTFS permissions for everyone  in the NTFS ACL is set for "Read & Execute" "List Contents" and "read"

I'll try going with Full Control on the File share Permissions.  I know the recommendation is to give Full Access in the share permissions and then do restrictions in NTFS, but I usually do both just to be safe.
0
msluneckaAuthor Commented:
No luck with increasing Everyone share permissions to Full Control.  I still can't access the share without authenticating.  
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

mikeleebrlaCommented:
i think you are confusing what the EVERYONE group is,,, the everyone group consists of every domain account and every local account of the local machine.  If you are talking about accessing a share from a remote computer while you are logged into the remote computer with a local account, then that accout is local to the remote computer, not the local one where the share is.  That is why you are being prompted for authentication, b/c the account you are using is not a domain account and it is not a local account on the machine where the share is.  As usual the OS is operating just as it was engineered.  If you want truly ANYONE to be able to access the share you can do this with an anonymous user account such as the IUSR account that is desinged for public access to IIS (web server)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikeleebrlaCommented:
thanks for the A grade,, just remember,, everyone doesn't mean ANYone.
0
msluneckaAuthor Commented:
No problem.  Thanks for clarifying that for me.  I always thought Everyone was basically the same as allowing anonymous user access.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.