How to give access to shared folder but nothing else in W2K domain for non-domain users/computers.

Posted on 2006-04-13
Last Modified: 2012-05-05
What is the best solution to this problem:
An office with several companies which share a network printer and Internet access.  One of the companies - Company A - keeps its data separate from the others by running a Windows 2000 Server domain with one server and several member computers.  The computers in the other companies are in separate workgroups and they do not have user names or passwords for the domain or the domain computers.  The server runs Windows 2000 Server and the workstations run Windows 2000 Pro or Windows XP Pro and Home.  All of the computers are on the same network segment/subnet.  

Company A needs to share one folder on their domain server so that the people in the other companies can access it from their computers.  However, this is all the access/privilidges they should have.  They should not be able to access any other shared folders on the server, and they should not be able to log onto any of the computers in the domain.  They should be required to enter a password when they connect to the shared folder.  

Will the Guest account or Anonymous access give them more privilidges than they need?  Is it possible to create an account which they can use and lock down the account so they can't do anything else with it?  

Thanks very much.
Question by:efield
    LVL 16

    Expert Comment

    I would stay away from the guest account or even using anonymous access for the shared folder.  Basically I would use a locked down account such as a "user" only.  Since they are on a workgroup they will have to authenticate a little different than if they were on a domain.  If you can get the login prompt to come up when the workgroup users try to access the shared folder then they can just use the locked down account to authenticate and get to the share.

    It's so much easier if they are all on a domain though :)

    LVL 1

    Author Comment

    What would the locked down user account look like?  What are the minimum privilidges it would need to access the shared folder?  It would only need read-only permissions in the folder.

    Accepted Solution

    It really depends on how you use security on the other resources in the domain.

    I am going to assume that your file share exists on an NTFS file system.  Assuming it does, you can use the permissions tab on the folder properties and give the user account read permissions while giving other users modify or full controll (I never give users full controll, they always try to take admin / backup agent permissions away).

    Watch out though, if you have other shares and or resources that use the Everyone or Authenticated User permissions to provide access, this new account will also have rights to them.

    I also believe that this new account could query your Active Directory and lookup user / printer information etc., for example, if you keep phone numbers, title info etc. in your AD, the user account by default could read that info, it's likely not a big deal, but is accessible.

    I sugest you expermiment with it in your environment.

    Hope this helps, Dave
    LVL 3

    Assisted Solution

    you can access this by piping to the share and then when it asks for a username and password use an account that is a domain user account.   The pc doesn't have to be part of the domain at all to access a share.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now