Avatar of malcolm29
malcolm29
Flag for United States of America asked on

Local Administrator mapping network drive without additional credentials

On most of the machines in our environment, when a technician is logged into the local Administrator account, they are able to map to a network share without being prompted to enter additional credentials.  However, on a small subset of machines, doing so requires that they enter in credentials of an account in our Domain (like their own AD credentials).

What about our machine or AD configuration would allow the local Administrator account to be able to map a network drive without requiring credentials of an AD account?  We would actually like to enable this behavior on all machines.

Thanks.  Greg.

p.s we are on Windows 10 Pro on the workstations and Windows Server 2012 on the Domain Controller
Active DirectoryWindows 10Windows Networking

Avatar of undefined
Last Comment
malcolm29

8/22/2022 - Mon
Natty Greg

a GPO written and push to these machines that are in their own OU will suffice.
malcolm29

ASKER
Can you provide more explicit instructions?  We are not using group policy, but can do so with local policy.  What specifically needs to be done?
Natty Greg

OK you will have to get familiar with GPO it is easy to learn, if not you will walk to every computer to do this. You will want to set up workstations into their own organization unit meaning management OU, Developer OU, BACKUP OU, you set this up under users in the gpo snap-in then you set who will be what member of, then you set gpo for the OU so whoever is in the OU is affected via that gpo policy.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
malcolm29

ASKER
Let me clarify.  The machines are functioning fine as far as Domain related behavior goes.  Users log in with their IDs and passwords and everything's fine.  We do not want to mess with that.

The issue is that on these dozen machines, when logged in as the local Administrator on the machine.  In that case, going to a command prompt and typing MAP H: \\servername\sharename results in being prompted for a domain-based ID and password.

For the rest of our machines (about 100), when doing this same thing, the user is not prompted for a domain-based ID and password and the MAP command successfully completes.

Thoughts?
Natty Greg

OK it seems like the GPO that was setup to handle this was has not been update properly so not to screw up anything issue this command on the server in cmd.exe  gpupdate /force this will force all computers on the network to accept and apply the policy, now you can reboot every machine to access the update or wait until each user reboots their machine

Here is a site that talks about updating group policies and forcing computers to accept them, it provides syntax where can update each computer
http://techgenix.com/How-Force-Remote-Group-Policy-Processing/

after this then, check the machines and see if problem is solved if not post back.
Vikas Bhat

I guess they must have already tried a reboot so the problem may lie somewhere else. do you mean you have multiple users who are local admins on the pc's ?

If so you should check of user A (local administrator)  when logs on the affected machine has the same behavior logging on the non-affected machine. This can help pin point the problem either with group policy or shared folder security permissions.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Qlemo

What is the difference between the machines? Are always using the same admin name and password?
David Johnson, CD

the login details may have already been saved in the credential manager
malcolm29

ASKER
OK, an update on this.  
- The 14 machines that are displaying this issue are essentially the same.  The same model PC, the same OS, the same local account ID and password, and all attached to the same Domain.
- Forcing a gpupdate did NOT resolve the issue.  So, Natty Greg, thank you for your idea, but that didn't resolve it.
- Looking at David Johnson's idea of what's in Credential Manager did not display any credentials for Windows users that have been saved.

However, the Credential Manager idea did give me an idea.  I went to one of the machines and set the local admin password to a previously used local admin password (to do this, I had to remove the computer from the domain, reboot, log into the non-Domain connected machine as local administrator, change the local administrator account user Computer Management, rejoin the Domain).  When using the prior password, the machine was able to map a drive without being prompted for credentials.

Thoughts on why this might work?  Are the prior credentials somehow saved somewhere on the machine?  I did look at the Registry under HKEY_Current_User/Network and saw that each of these machines did have a setting for the "h" drive (the drive I am trying to map).  But this was true both prior to removing the machine from the domain and after rejoining the machine to the domain.

Really, the only difference I can think of between being able to map without being prompted for credentials or not was that when using the prior local administrator password it worked, and when using a new local administrator password, it didn't work.

So where might those old local administrator credentials be stored?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Natty Greg

Then the password change is not taking effect and there is a cache or system override somewhere, which in not good, unless the map drive has a pre-shared key/password not necessarily attached to your credentials
malcolm29

ASKER
Thanks for the help in getting to the root of this.  Just trying to better understand your comments, Natty Greg.  When I change the local admin password, the machine then requires the new password, so it appears that the password change is taking effect.  But I'm certainly open to opinions on that.

So, assuming that the password change is indeed taking effect, you suggest that there is a cache or system override somewhere.  Do you know where this might be?  Could it be in Active Directory, even though we're dealing with a local administrator password?  One possibly related oddity is that on these machines the local admin password was invalidated after a period of time (maybe the 60 day password expiration policy length) as not being complex enough.  However, on other machines that use this same local admin password, they were not given this message.  Could a machine somehow have its local admin account governed by AD?

Sorry that I don't know more.  I recently came into this environment and am trying to understand what is going on.
Natty Greg

next time it happens take a screen shot n post the picture
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
malcolm29

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Qlemo

I've asked you for that in #a42054451 ...
malcolm29

ASKER
Doing other research, unrelated to the suggestions provided in the thread, I was led to try an experiment that ultimately got to the root cause.