botsadmins
asked on
'run-as' credentials in explorer on domain windows server 2012
When trying to access privileged folders through DFS on a domain account that doesn't have access to the folders in question, I am prompted for credentials of a user who does have access to those folders. Providing valid credentials, even the master admin account of the domain, does not grant access to these folders. When on the network but not logged on to the domain I am able to go through the process of providing valid authenticated credentials to these folders, I am only unable to access when attempting to use these 'run-as' credentials under a user account on the domain that doesn't have access to the folders I'm trying to access. How do I make this work?
From what i understand you are trying to access a folder where local user has access but domain user don't.
While logged on via domain account. Enter credentials like below.
until unless you mention the domain/computer you are logging on it. It will assume like the way you logged on to computer.
i.e. mention the local computer name/username which has access to that folder
i.e.
computername/username or ./username (dot/username)
password
While logged on via domain account. Enter credentials like below.
until unless you mention the domain/computer you are logging on it. It will assume like the way you logged on to computer.
i.e. mention the local computer name/username which has access to that folder
i.e.
computername/username or ./username (dot/username)
password
ASKER
There are specific domain users who do have access to the folder, the folder is on the server, it's a share created with DFS Management. Most domain users to not have access. However when providing support and configuring user PC's, it is often pertinent to have access to files I would rather they otherwise be unable to access while still being logged into their account. I'm familiar with escaping or entering a different domain, that's not the issue I'm having here.
Instead of accessing DFS links (those are virtual links, pointing to some else target), you need to access actual shared folder path, then only it will work with runas credentials.
I have faced this issue long back ago and no matter what so ever I have tried, it doesn't worked. Its domain migration scenario in my case.
Hence I have find actual share folder path behind link and then get access or need to use $ share path with admin account.
Mahesh
I have faced this issue long back ago and no matter what so ever I have tried, it doesn't worked. Its domain migration scenario in my case.
Hence I have find actual share folder path behind link and then get access or need to use $ share path with admin account.
Mahesh
ASKER
My file server is on the same server as my AD controller, and the error I get says "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed." Trying the actual folder path gives the same error. Do I need to have my files stored on a different server to fix that? Is there a way to temporarily disconnect the logged in users connection as a workaround?
ASKER
Also, thank you for your answer Mahesh.
ASKER
bump. bump bump. still not resolved.
By the description of "multiple connections" I think you are trying to access a folder on a share that is currently mapped as a "drive".
You can only have certain amount of concurrent active connections to a shared folder. If there is a connection already on this client with another user credentials even with different rights, the OS won't give access to the resource.
Solutions / Workaround:
1. Disconnect the current user mapping access to the share and try using yours (admin) once finish reconnect the share to the user.
2. Create a new share (folder) on the server only for the administrators with the files they need. (recommended). Once on the station just map to the share with your credentials and disconnect when finish or access the share by typing the share on an explorer window and providing credentials every time.
You can only have certain amount of concurrent active connections to a shared folder. If there is a connection already on this client with another user credentials even with different rights, the OS won't give access to the resource.
Solutions / Workaround:
1. Disconnect the current user mapping access to the share and try using yours (admin) once finish reconnect the share to the user.
2. Create a new share (folder) on the server only for the administrators with the files they need. (recommended). Once on the station just map to the share with your credentials and disconnect when finish or access the share by typing the share on an explorer window and providing credentials every time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try to access actual shared folder with FQDN
Ex: \\Server1.contoso.com\shar
Mahesh
Ex: \\Server1.contoso.com\shar
Mahesh
ASKER
It's because the users are mapped to folders in the same parent directory. 1 connection can't have more than one username. Decided to give them read rights to a specific folder to have the tools available I need for them
ASKER