We help IT Professionals succeed at work.

How to share a local folder on a stand-alone server with domain users

I need to share a folder on my Windows Server 2012 (stand-alone non-member) with a few select domain member users. Their client machines are WinXP and Win7.

Is this possible without installing any third party software?
Comment
Watch Question

Author

Commented:
I forgot to mention that I would like the domain users to be able to access this folder without the need to submit credentials
Principal Consultant
Commented:
Yes, this is certainly possible natively without any third party applications. You either need to set the access up on the folder for anonymous or you need to provide appropriate local credentials (that exist on the stand alone server) to the end users. don't forget that you need to assign the appropriate permissions on the share as well as at the NTFS level.

Hope this is helpful,

Jonathan
Jonathan RaperPrincipal Consultant

Commented:
Ah - then you will definitely need to allow everyone/anonymous access.

Jonathan

Author

Commented:
Thanks for the quick reply Jonathan.

I have a AD group with the select users that should have access. I just want those users to be able to access this share without being prompted for credentials.
Distinguished Expert 2018
Commented:
There is no secure automated way to do what you want. The whole point of a domain (or domain trusts) is to pass authentication requests. By choosing a fully stand-alone server, you've chosen to shut that door. And by saying you don't want 3rd party software, you've closed off any federated options such as ADFS, SAML, OATH, etc.

Author

Commented:
Suppose I am open now to 3rd party...what can you tell me about those options you just mentioned?
Distinguished Expert 2018

Commented:
You'll need to set up some sort of directory sync to get local accounts that match the domain accounts. Then choose which auth method you'll support and somehow associate the two accounts. And for true SSO, a federated token, so something like ADFS. The infrastructure for such an endeavor is massive. It has taken even large companies (Salesforce, etc) years to get it right. So if it were easy or a few point and click wizards, it wouldn't be so hard for them. That's the 10,000ft view.
Jonathan RaperPrincipal Consultant

Commented:
Cliff is correct. If you want the files secure, you either have to join the domain, or you have to have users login.
Jonathan RaperPrincipal Consultant

Commented:
as for ADFS being an overwhelming task.....I agree that it isn't a cake walk, but it is a lot easier than it used to be - at least with Server 2012 R2.

That being said, I would NOT go to that kind of trouble for this particular use case. I would join the server to the domain, or I would tel end users that they have to login, and that's the end of it.

Can't have your cake and eat it too, in this instance, I'm afraid.

Author

Commented:
Yup...i guess you're right...Thanks so much for your help gentlemen.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
As stated you either need to open access to Everyone or provide a local username/password to the people that require access.

Another thing you could do (if you only want a few users to have access to this) is create the Share and make it Hidden using the "$" example MyShare$.

This will still be accessible to all users but you will have some level of security because they need to know the servername and also share name is hidden. I think that might be your best approach.

Will.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Ahhhhh. i was too late. creating a hidden share does provide a little more security as they will not know the Share.

Will.
Distinguished Expert 2018

Commented:
@Johnathanspitfire:  I agree that ADFS has become easier. However Microsoft has architected ADFS to integrate with third parties and still expects them to provide some infrastructure. As the proposed use case here is a standalone server, the OP would *be* that 3rd-party in this case. ADFS alone wouldn't solve the issue. It'd just provide the medium from the domain side of things. As such, my comment that it is exceedingly complex still stands. To extrapolate, imagine re-inventing Azure AD and dirsync (or WAAD, or AADSync, depending on which acronym you prefer and which version is shipping this month) ...which is how Office 365 leverages ADFS.   ADFS alone doesn't cover O365, but requires all of that infrastructure that Microsoft has built.  To offer access from a standalone server, a similar architecture is required.