Force Windows to challenge for Credentials
Hi,
Does anyone now how to force windows explorer in Windows 7 to challenge for Credentials when the currently logged on user doesn't have access to a resource?
We have several meeeting rooms here and I want to use a single logon account for these rooms, but don't want to give that Meeting Room acocunt access to all network shares
Currently when I try to access a drive that it doens't have access to I just get the standard "Acccess Denied" message....
Thanks
Does anyone now how to force windows explorer in Windows 7 to challenge for Credentials when the currently logged on user doesn't have access to a resource?
We have several meeeting rooms here and I want to use a single logon account for these rooms, but don't want to give that Meeting Room acocunt access to all network shares
Currently when I try to access a drive that it doens't have access to I just get the standard "Acccess Denied" message....
Thanks
Brian Pierce
Not a good idea - even if you could get it to work there is the danger of the tokens being cached effectively allowing anyone to access the files someone else has provided the credentials for - just get people to log on normally with their own username/password - that's how a domain is designed to work
Shared accounts are typically not a good idea in terms of security, so perhaps there is another solution to the same problem. You can easily place a meeting room account in a deny list on a share or even a server:
http://technet.microsoft.com/en-us/library/cc947795%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc753064%28v=ws.10%29.aspx
Share ACL's and NTFS ACL's work in tandem with each other, which ever has the most restrictive permission, is the one that is applied to that share. I recommend setting shares to "Everyone Full Control" and use NTFS to make restrictions, that way it applies at the computer level as well as the share level.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/file_srv_bestpractice.mspx (still applies to current OS's)
-rich
http://technet.microsoft.com/en-us/library/cc947795%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc753064%28v=ws.10%29.aspx
Share ACL's and NTFS ACL's work in tandem with each other, which ever has the most restrictive permission, is the one that is applied to that share. I recommend setting shares to "Everyone Full Control" and use NTFS to make restrictions, that way it applies at the computer level as well as the share level.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/file_srv_bestpractice.mspx (still applies to current OS's)
-rich
I take that back, not full control, but read, then from that point inside the share they are subject to the NTFS permissions http://technet.microsoft.com/en-us/library/cc753731.aspx
-rich
-rich
ASKER
Ok, fair point so shared user accounts are not best practice.....
Do you know then how I would be able to get a shared Meeting Room calendar to open on the meetings room PC when a user logs on (but only when they log on to that particular PC)?
I've formatted a URL using Outlook Web Parts so that I can have the Calendar open up in IE as soon as the MeetingRoom user logs on (using Windows Credential Manager to store the logon details) but if individual users are logging onto meeting rooms PCs then they wouldn't have these stored credentials so would be challenged to logon to the Mailbox when the URL opens
Not a big deal I know but in the interests of not having to give people more credentials to remember I'd like to be able to automate this...
Thanks
Do you know then how I would be able to get a shared Meeting Room calendar to open on the meetings room PC when a user logs on (but only when they log on to that particular PC)?
I've formatted a URL using Outlook Web Parts so that I can have the Calendar open up in IE as soon as the MeetingRoom user logs on (using Windows Credential Manager to store the logon details) but if individual users are logging onto meeting rooms PCs then they wouldn't have these stored credentials so would be challenged to logon to the Mailbox when the URL opens
Not a big deal I know but in the interests of not having to give people more credentials to remember I'd like to be able to automate this...
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
disregard, wrong question :(
-rich
-rich
OMG haha... I need to sleep, disregard my very last comment only :)
-rich
-rich
ASKER
Haha....it's ok, I was a bit confused at first!
OK so shared user accounts are a bad idea, point taken...
I think I need to raise a new question then about storing credentials for a website across multiple logon accounts then
Thanks for your help
Mike
OK so shared user accounts are a bad idea, point taken...
I think I need to raise a new question then about storing credentials for a website across multiple logon accounts then
Thanks for your help
Mike