AllDaySentry
asked on
Non Domain Users Can Access Any Network Folder
We recently had our environment upgraded/rebuilt with Server 2008 Active Directory and Data Server for our network folders.
I just found out today that a users laptop not on the domain can access any network folder without even a prompt for login credentials. This user is a standard user on the domain. Im not even sure if his Windows laptop login credential is the same as his Domain credential.
It seems to be a problem with the users laptop on the domain. A workstation that is on the domain is not allowing access to any folder.
Example:
There is a folder called Internal. On the sharing tab, shared button, the following users are listed:
Administrator (domain\Administrator)
Administrators (builtin\Administrator)
Domain Admins
Under Advanced Sharing it shows Everyone and Administrators with rights.
Under the Security tab, it shows: System, Administrator, Domain Admins, and Administrators (Server\Administrators).
I thought it may be that Everyone is listed under Advanced Sharing so I removed that. However the user can still access this folder.
What is it that is giving this person access to the folder?
I just found out today that a users laptop not on the domain can access any network folder without even a prompt for login credentials. This user is a standard user on the domain. Im not even sure if his Windows laptop login credential is the same as his Domain credential.
It seems to be a problem with the users laptop on the domain. A workstation that is on the domain is not allowing access to any folder.
Example:
There is a folder called Internal. On the sharing tab, shared button, the following users are listed:
Administrator (domain\Administrator)
Administrators (builtin\Administrator)
Domain Admins
Under Advanced Sharing it shows Everyone and Administrators with rights.
Under the Security tab, it shows: System, Administrator, Domain Admins, and Administrators (Server\Administrators).
I thought it may be that Everyone is listed under Advanced Sharing so I removed that. However the user can still access this folder.
What is it that is giving this person access to the folder?
did anyone access a share etc using admin credentials? try running "net use" and see what connections are listed.
ASKER
thinkpads_user,
Im good with the login scripts. Thats how all our domain users map their drives. For this non-domain user, we mapped a drive locally in Windows for him.
Problem is that he can access any folder he wants. Folders on are an "E:" drive. The drive itself is not shared.
When you mention server security to not allow unauthorized access, where would I go to check that?
karllangston,
Ran a "net use" and it lists two network drives he has access to. Ran "net user" and it shows up with Administrator (Im guessing because he is a local admin), his username, and guest.
Im good with the login scripts. Thats how all our domain users map their drives. For this non-domain user, we mapped a drive locally in Windows for him.
Problem is that he can access any folder he wants. Folders on are an "E:" drive. The drive itself is not shared.
When you mention server security to not allow unauthorized access, where would I go to check that?
karllangston,
Ran a "net use" and it lists two network drives he has access to. Ran "net user" and it shows up with Administrator (Im guessing because he is a local admin), his username, and guest.
I had this problem with a server I inherited. I got a local server expert (not myself) to reset the security on the Server Users folder. That solved the problem.
With respect to the particular user, make certain he is only a local admin. Look in AD on the server for the user and see what groups he is in.
Look at the AD groups to see who is allowed to access what.
The basic approach of the server consultant above was to remove all permissions (so for a short time users could not access their own folders), reconstruct the group memberships and the permit people their own folder (only) and to the groups they were authorized to be in.
... Thinkpads_User
With respect to the particular user, make certain he is only a local admin. Look in AD on the server for the user and see what groups he is in.
Look at the AD groups to see who is allowed to access what.
The basic approach of the server consultant above was to remove all permissions (so for a short time users could not access their own folders), reconstruct the group memberships and the permit people their own folder (only) and to the groups they were authorized to be in.
... Thinkpads_User
ASKER
I just figured something out. On the server under Share and Storage Management, Manage Sessions, I see the users laptop current IP address. The user name is not him but someone that is a domain admin.
At some point this domain admin was in his laptop mapping a printer out. Now it is using his credentials to access the network.
Where can I see this and remove his credentials?
At some point this domain admin was in his laptop mapping a printer out. Now it is using his credentials to access the network.
Where can I see this and remove his credentials?
You can go to the local users and groups, Groups, and then remove anyone who should not be there. If the domain admin is also a local user, remove it and remove the profile from the Local Computer. .... Thinkpads_User
ASKER
Figured it out. I guess when the domain admin connected a few weeks back to the data server, he used his credentials and checked the remember checkbox.
Had to go in to users and the credential vault and remove his user to the data server.
Had to go in to users and the credential vault and remove his user to the data server.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for AllDaySentry's comment #37602002
for the following reason:
Figured it out
Accepted answer: 0 points for AllDaySentry's comment #37602002
for the following reason:
Figured it out
In my post (ID: 37601741) I answered your question on how to remove credentials and that is what you did. I think my answer should warrant the answer in this case.
... Thinkpads_User
... Thinkpads_User
I think I answered your question here. ... Thinkpads_User
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you. The latter explanation was much more helpful and will be to others as well.
.... Thinkpads_User
.... Thinkpads_User
ASKER
Hi SouthMod, that is exactly what I did previously.
by: AllDaySentryPosted on 2012-02-15 at 18:54:23ID: 37602002
by: AllDaySentryPosted on 2012-02-15 at 18:54:23ID: 37602002
ASKER
Found solution on own.
Then, they need a script to access their folder (NET USE Z: \\server\userfolder and authenticate).
Make sure that they do not have access to C$ on the server. Make sure Server security doesn't allow access unless authorized.
Then the user should not have access to any folder. I do this all the time for clients and it works fine (users cannot access what they are not authorized to access).
.... Thinkpads_User