Bryan Pivik
asked on
Allow workgroup users local accounts to authenticate with 2012 domain
Just replaced the 2003 server with a new 2012 Essentials server. Created a new domain and int he active directory users, created an account that matches the local users on the workgroup systems.
When trying to access the SMB share it prompts for the username and password. I recall there was a setting in the group policy to basiclly ignore the domain. I do not want everyone connecting with guest rights where 2 users do have NTFS file permissions on some sub folders.
Please help. Any thing is appreciated.
When trying to access the SMB share it prompts for the username and password. I recall there was a setting in the group policy to basiclly ignore the domain. I do not want everyone connecting with guest rights where 2 users do have NTFS file permissions on some sub folders.
Please help. Any thing is appreciated.
Since you are on a workgroup computer you have not authenticated to domain yet. You need to authenticate against domain at least once before you can access a Share on the domain. When you are joined to a domain you are doing the initial authentication at logon. This is why you are prompted when you try to access to the domain share.
There's no such setting. Local users with the same name and pw cannot be used. Use domain users, migrate the profiles.
If the workgroup name is the same as the domain name, it indeed works. without doing anything more.
But you cannot provide a (different) domain name automatically used. You need to supply it manually once after each reboot or login.
But you cannot provide a (different) domain name automatically used. You need to supply it manually once after each reboot or login.
Qlemo, for me that does not work (win8.1). I remember, that back in the days of our NT4 domain, that did indeed work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Main point here is I have seen people "fix" the mixed office roles in very creative manners that are not nearly as secure or easy to work with later.
- Do not use the "Save Credentials" on the network map function in Explore. This saves in the registry the credentials and Windows forgets or prompts the user to reconnect and they always answer wrong, then no more drive mapping. Script is way to go.
- Do not include the user name and password in the Net Use statement in the local run scripts to map the drives. IF you need to, then you are not being properly authenticated as mentioned above in my first solution comment.
- Do not modify the permission on the server GPO that allows all network users to authenticate as guests! This breaks security in the office. No longer are any of the files private anymore, so ANYONE on the network could browse the files. Crazy yes I have seen this before! That would only make sense if you have a dedicated server that is publicly facing so you would give like read permissions the share. Thus, allowing access to download files and they can be modified locally on the server. But would be absolutely crazy to set that way in an office sharing the server files for live production work.
- Do not use the "Save Credentials" on the network map function in Explore. This saves in the registry the credentials and Windows forgets or prompts the user to reconnect and they always answer wrong, then no more drive mapping. Script is way to go.
- Do not include the user name and password in the Net Use statement in the local run scripts to map the drives. IF you need to, then you are not being properly authenticated as mentioned above in my first solution comment.
- Do not modify the permission on the server GPO that allows all network users to authenticate as guests! This breaks security in the office. No longer are any of the files private anymore, so ANYONE on the network could browse the files. Crazy yes I have seen this before! That would only make sense if you have a dedicated server that is publicly facing so you would give like read permissions the share. Thus, allowing access to download files and they can be modified locally on the server. But would be absolutely crazy to set that way in an office sharing the server files for live production work.
ASKER
Of course my solution does not allow for management or GPO of the workstations in this manner. The passwords when needed to be changed MUST be updated on the server AND on the local workstation. That is the biggest cost for an simple office that uses the server mainly as a strong NAS and print server only.
I call this "Creative Management" :)
I call this "Creative Management" :)
ASKER
Thank you for all the great help. In this case I got on my own. This was an odd setup where there is such a mixed unmanaged environment. But that is what the client need for their budget and implementation time. The method I have done works and I have done before in special cases. Making sure to also script the network mapped drives and time sync to the file server is also important. That script should run from the workstations at login.
In this case I have not setup 2012 Essentials Server before so thought it was something different I was not aware of. The old bag of trick worked here.
Simple Net.bat file at workgroup computer login example (don't use server name due to possible DNS issues or you know how):
Net Time \\ServerIPAddress /SET /Y
Net Use N: \\ServerIP /Y
In this case I have not setup 2012 Essentials Server before so thought it was something different I was not aware of. The old bag of trick worked here.
Simple Net.bat file at workgroup computer login example (don't use server name due to possible DNS issues or you know how):
Net Time \\ServerIPAddress /SET /Y
Net Use N: \\ServerIP /Y
ASKER
Sorry Qlemo. They helped but it was my resolution that worked. Did not mean to confuse the system. Hope my comments can help others.
Is there a reason why you don't want the computers on the domain?