Authenticate workgroup user through a member server

There are many workstations that are currently setup as a workgroup and it is too time consuming to join all of them to the domain of the server.  The DC server is Server 2003 STD and is working great as a fileserver for the office.  All of the users in the office have a domain account that matches there local user name and password of the workstation.  They can access the server shares no problem.

Now we have added an additional 2003 STD server which is setup as a member server.  It is required to have a share from the member server accessable to all of the users. When trying to access the member server is authenticating locally and not quering the DC for the credentials.  

I have tried to changed the "allow anyonimus SID translation" option on the member server.  Also I have confirmed that all of the systems are pointing to the DC for DNS.  I know this is not the best way to do this but time is very important and converting the office workstations over to the domain and cloning the user account is not possible right now.

Please some one help with this.  I would prefer to not open the member server fully with something like guest acecess.  Best if the member server passes along the credentials to the DC.  
PivnardoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PWeerakoonCommented:
It is  not possible to pass authentication through the member server in your current configuration because the authentication mechanism works by issuing tickets from the authenticating server. Because the client computers are not part of the domain they cannot get a ticket from the domain controller to present to the member server so the member server is going to deny access.

In your situation the easiest thing to do is upgrade the member server to a domain controller so that it also would have a copy of the usernames and password locally.

Another option is to setup a batch script with NET USE so that it maps all the shares using their domain credentials instead of the local credentials.

For example see attached code snippet...

The downside is it will prompt the user for the password.




@echo off
net use M: \\server2\share1 /user:domainname\username *
exit

Open in new window

0
PivnardoAuthor Commented:
Thank you for the fast responce. The net use option is not possible because the share should not be mapped. It is accessed from a client application directly. I recall being able to include the password in the command but that does not matter anyways.  Really not good in regards to the promoting to a second DC. Adds much more complexity to the problem than desired. Much appericated for the responce.

If there is anyone that knows any other methods that would be great. I was even considering entering local users on the member to match the DC for the temp workaround. Admin nightmare though when passwords need to be changed. But very infrequent so is a possibility.
0
PWeerakoonCommented:
I'm sorry but there is NO WAY that you can get the second server to let the user in without breaking security. The only options are for the server to have the user database on it locally (one is to create the accounts manually as you said, second is dcpromo). The other option is for the user to hand it the domain credentials so that the second server can verify against the domain controller.

Saving passwords in a script is a bad idea, that's why Microsoft removed that ability from NET USE.

If you don't want the share mapped you can do...

NET USE \\server2\ipc$ /user:domainname\username

before the application starts (maybe incorporate it into the shortcut). That'll prompt for the password only if there's no connection for example after they boot the computer for the first time in the morning and not prompt for the password after that.

Well good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PivnardoAuthor Commented:
Sorry for the slow responce.  You were spot on with the explination and the details to the problem I was having.
My resolution was to add the few accounts locally that required access.  I then later joined the system properly to the domain and cloned the user accounts.  
Nothing is every was with Microsoft !!
Thank you for your assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.