Local Administrator mapping network drive without additional credentials

On most of the machines in our environment, when a technician is logged into the local Administrator account, they are able to map to a network share without being prompted to enter additional credentials.  However, on a small subset of machines, doing so requires that they enter in credentials of an account in our Domain (like their own AD credentials).

What about our machine or AD configuration would allow the local Administrator account to be able to map a network drive without requiring credentials of an AD account?  We would actually like to enable this behavior on all machines.

Thanks.  Greg.

p.s we are on Windows 10 Pro on the workstations and Windows Server 2012 on the Domain Controller
malcolm29Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
a GPO written and push to these machines that are in their own OU will suffice.
0
malcolm29Author Commented:
Can you provide more explicit instructions?  We are not using group policy, but can do so with local policy.  What specifically needs to be done?
0
Natty GregIn Theory (IT)Commented:
OK you will have to get familiar with GPO it is easy to learn, if not you will walk to every computer to do this. You will want to set up workstations into their own organization unit meaning management OU, Developer OU, BACKUP OU, you set this up under users in the gpo snap-in then you set who will be what member of, then you set gpo for the OU so whoever is in the OU is affected via that gpo policy.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

malcolm29Author Commented:
Let me clarify.  The machines are functioning fine as far as Domain related behavior goes.  Users log in with their IDs and passwords and everything's fine.  We do not want to mess with that.

The issue is that on these dozen machines, when logged in as the local Administrator on the machine.  In that case, going to a command prompt and typing MAP H: \\servername\sharename results in being prompted for a domain-based ID and password.

For the rest of our machines (about 100), when doing this same thing, the user is not prompted for a domain-based ID and password and the MAP command successfully completes.

Thoughts?
0
Natty GregIn Theory (IT)Commented:
OK it seems like the GPO that was setup to handle this was has not been update properly so not to screw up anything issue this command on the server in cmd.exe  gpupdate /force this will force all computers on the network to accept and apply the policy, now you can reboot every machine to access the update or wait until each user reboots their machine

Here is a site that talks about updating group policies and forcing computers to accept them, it provides syntax where can update each computer
http://techgenix.com/How-Force-Remote-Group-Policy-Processing/

after this then, check the machines and see if problem is solved if not post back.
0
Vikas BhatExperienced IT Infrastructure Services/operations ManagerCommented:
I guess they must have already tried a reboot so the problem may lie somewhere else. do you mean you have multiple users who are local admins on the pc's ?

If so you should check of user A (local administrator)  when logs on the affected machine has the same behavior logging on the non-affected machine. This can help pin point the problem either with group policy or shared folder security permissions.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
What is the difference between the machines? Are always using the same admin name and password?
0
David Johnson, CD, MVPOwnerCommented:
the login details may have already been saved in the credential manager
0
malcolm29Author Commented:
OK, an update on this.  
- The 14 machines that are displaying this issue are essentially the same.  The same model PC, the same OS, the same local account ID and password, and all attached to the same Domain.
- Forcing a gpupdate did NOT resolve the issue.  So, Natty Greg, thank you for your idea, but that didn't resolve it.
- Looking at David Johnson's idea of what's in Credential Manager did not display any credentials for Windows users that have been saved.

However, the Credential Manager idea did give me an idea.  I went to one of the machines and set the local admin password to a previously used local admin password (to do this, I had to remove the computer from the domain, reboot, log into the non-Domain connected machine as local administrator, change the local administrator account user Computer Management, rejoin the Domain).  When using the prior password, the machine was able to map a drive without being prompted for credentials.

Thoughts on why this might work?  Are the prior credentials somehow saved somewhere on the machine?  I did look at the Registry under HKEY_Current_User/Network and saw that each of these machines did have a setting for the "h" drive (the drive I am trying to map).  But this was true both prior to removing the machine from the domain and after rejoining the machine to the domain.

Really, the only difference I can think of between being able to map without being prompted for credentials or not was that when using the prior local administrator password it worked, and when using a new local administrator password, it didn't work.

So where might those old local administrator credentials be stored?
0
Natty GregIn Theory (IT)Commented:
Then the password change is not taking effect and there is a cache or system override somewhere, which in not good, unless the map drive has a pre-shared key/password not necessarily attached to your credentials
0
malcolm29Author Commented:
Thanks for the help in getting to the root of this.  Just trying to better understand your comments, Natty Greg.  When I change the local admin password, the machine then requires the new password, so it appears that the password change is taking effect.  But I'm certainly open to opinions on that.

So, assuming that the password change is indeed taking effect, you suggest that there is a cache or system override somewhere.  Do you know where this might be?  Could it be in Active Directory, even though we're dealing with a local administrator password?  One possibly related oddity is that on these machines the local admin password was invalidated after a period of time (maybe the 60 day password expiration policy length) as not being complex enough.  However, on other machines that use this same local admin password, they were not given this message.  Could a machine somehow have its local admin account governed by AD?

Sorry that I don't know more.  I recently came into this environment and am trying to understand what is going on.
0
Natty GregIn Theory (IT)Commented:
next time it happens take a screen shot n post the picture
0
malcolm29Author Commented:
Well, here's what was going on.  On the machine that was providing the file share, there was a local administrator ID and password.  On machines that had the same local administrator ID and password, they were able to map to the share without being prompted.  On machines that had the same local administrator ID but a different password, they would get prompted when trying to map the share.

So, thank you all for your ideas, but the answer ended up being something different.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I've asked you for that in #a42054451 ...
0
malcolm29Author Commented:
Doing other research, unrelated to the suggestions provided in the thread, I was led to try an experiment that ultimately got to the root cause.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.