The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.
Local Administrator mapping network drive without additional credentials
On most of the machines in our environment, when a technician is logged into the local Administrator account, they are able to map to a network share without being prompted to enter additional credentials. However, on a small subset of machines, doing so requires that they enter in credentials of an account in our Domain (like their own AD credentials).
What about our machine or AD configuration would allow the local Administrator account to be able to map a network drive without requiring credentials of an AD account? We would actually like to enable this behavior on all machines.
Thanks. Greg.
p.s we are on Windows 10 Pro on the workstations and Windows Server 2012 on the Domain Controller
What about our machine or AD configuration would allow the local Administrator account to be able to map a network drive without requiring credentials of an AD account? We would actually like to enable this behavior on all machines.
Thanks. Greg.
p.s we are on Windows 10 Pro on the workstations and Windows Server 2012 on the Domain Controller
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Can you provide more explicit instructions? We are not using group policy, but can do so with local policy. What specifically needs to be done?
OK you will have to get familiar with GPO it is easy to learn, if not you will walk to every computer to do this. You will want to set up workstations into their own organization unit meaning management OU, Developer OU, BACKUP OU, you set this up under users in the gpo snap-in then you set who will be what member of, then you set gpo for the OU so whoever is in the OU is affected via that gpo policy.
Let me clarify. The machines are functioning fine as far as Domain related behavior goes. Users log in with their IDs and passwords and everything's fine. We do not want to mess with that.
The issue is that on these dozen machines, when logged in as the local Administrator on the machine. In that case, going to a command prompt and typing MAP H: \\servername\sharename results in being prompted for a domain-based ID and password.
For the rest of our machines (about 100), when doing this same thing, the user is not prompted for a domain-based ID and password and the MAP command successfully completes.
Thoughts?
The issue is that on these dozen machines, when logged in as the local Administrator on the machine. In that case, going to a command prompt and typing MAP H: \\servername\sharename results in being prompted for a domain-based ID and password.
For the rest of our machines (about 100), when doing this same thing, the user is not prompted for a domain-based ID and password and the MAP command successfully completes.
Thoughts?
OK it seems like the GPO that was setup to handle this was has not been update properly so not to screw up anything issue this command on the server in cmd.exe gpupdate /force this will force all computers on the network to accept and apply the policy, now you can reboot every machine to access the update or wait until each user reboots their machine
Here is a site that talks about updating group policies and forcing computers to accept them, it provides syntax where can update each computer
http://techgenix.com/How-Force-Remote-Group-Policy-Processing/
after this then, check the machines and see if problem is solved if not post back.
Here is a site that talks about updating group policies and forcing computers to accept them, it provides syntax where can update each computer
http://techgenix.com/How-Force-Remote-Group-Policy-Processing/
after this then, check the machines and see if problem is solved if not post back.
I guess they must have already tried a reboot so the problem may lie somewhere else. do you mean you have multiple users who are local admins on the pc's ?
If so you should check of user A (local administrator) when logs on the affected machine has the same behavior logging on the non-affected machine. This can help pin point the problem either with group policy or shared folder security permissions.
If so you should check of user A (local administrator) when logs on the affected machine has the same behavior logging on the non-affected machine. This can help pin point the problem either with group policy or shared folder security permissions.
OK, an update on this.
- The 14 machines that are displaying this issue are essentially the same. The same model PC, the same OS, the same local account ID and password, and all attached to the same Domain.
- Forcing a gpupdate did NOT resolve the issue. So, Natty Greg, thank you for your idea, but that didn't resolve it.
- Looking at David Johnson's idea of what's in Credential Manager did not display any credentials for Windows users that have been saved.
However, the Credential Manager idea did give me an idea. I went to one of the machines and set the local admin password to a previously used local admin password (to do this, I had to remove the computer from the domain, reboot, log into the non-Domain connected machine as local administrator, change the local administrator account user Computer Management, rejoin the Domain). When using the prior password, the machine was able to map a drive without being prompted for credentials.
Thoughts on why this might work? Are the prior credentials somehow saved somewhere on the machine? I did look at the Registry under HKEY_Current_User/Network and saw that each of these machines did have a setting for the "h" drive (the drive I am trying to map). But this was true both prior to removing the machine from the domain and after rejoining the machine to the domain.
Really, the only difference I can think of between being able to map without being prompted for credentials or not was that when using the prior local administrator password it worked, and when using a new local administrator password, it didn't work.
So where might those old local administrator credentials be stored?
- The 14 machines that are displaying this issue are essentially the same. The same model PC, the same OS, the same local account ID and password, and all attached to the same Domain.
- Forcing a gpupdate did NOT resolve the issue. So, Natty Greg, thank you for your idea, but that didn't resolve it.
- Looking at David Johnson's idea of what's in Credential Manager did not display any credentials for Windows users that have been saved.
However, the Credential Manager idea did give me an idea. I went to one of the machines and set the local admin password to a previously used local admin password (to do this, I had to remove the computer from the domain, reboot, log into the non-Domain connected machine as local administrator, change the local administrator account user Computer Management, rejoin the Domain). When using the prior password, the machine was able to map a drive without being prompted for credentials.
Thoughts on why this might work? Are the prior credentials somehow saved somewhere on the machine? I did look at the Registry under HKEY_Current_User/Network and saw that each of these machines did have a setting for the "h" drive (the drive I am trying to map). But this was true both prior to removing the machine from the domain and after rejoining the machine to the domain.
Really, the only difference I can think of between being able to map without being prompted for credentials or not was that when using the prior local administrator password it worked, and when using a new local administrator password, it didn't work.
So where might those old local administrator credentials be stored?
Then the password change is not taking effect and there is a cache or system override somewhere, which in not good, unless the map drive has a pre-shared key/password not necessarily attached to your credentials
Thanks for the help in getting to the root of this. Just trying to better understand your comments, Natty Greg. When I change the local admin password, the machine then requires the new password, so it appears that the password change is taking effect. But I'm certainly open to opinions on that.
So, assuming that the password change is indeed taking effect, you suggest that there is a cache or system override somewhere. Do you know where this might be? Could it be in Active Directory, even though we're dealing with a local administrator password? One possibly related oddity is that on these machines the local admin password was invalidated after a period of time (maybe the 60 day password expiration policy length) as not being complex enough. However, on other machines that use this same local admin password, they were not given this message. Could a machine somehow have its local admin account governed by AD?
Sorry that I don't know more. I recently came into this environment and am trying to understand what is going on.
So, assuming that the password change is indeed taking effect, you suggest that there is a cache or system override somewhere. Do you know where this might be? Could it be in Active Directory, even though we're dealing with a local administrator password? One possibly related oddity is that on these machines the local admin password was invalidated after a period of time (maybe the 60 day password expiration policy length) as not being complex enough. However, on other machines that use this same local admin password, they were not given this message. Could a machine somehow have its local admin account governed by AD?
Sorry that I don't know more. I recently came into this environment and am trying to understand what is going on.
Well, here's what was going on. On the machine that was providing the file share, there was a local administrator ID and password. On machines that had the same local administrator ID and password, they were able to map to the share without being prompted. On machines that had the same local administrator ID but a different password, they would get prompted when trying to map the share.
So, thank you all for your ideas, but the answer ended up being something different.
So, thank you all for your ideas, but the answer ended up being something different.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I've asked you for that in #a42054451 ...
Doing other research, unrelated to the suggestions provided in the thread, I was led to try an experiment that ultimately got to the root cause.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCP MCSA Microsoft Certified Partner & Solutions Ass… 377 lessons
-
Microsoft ApplicationsCertification: MCP MCSA Microsoft Certified Partner & Solutions Ass… 377 lessons
-
Business CommunicationCertification: PMI ACP Project Management Institute Agile Certified Pra… 283 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2016… 224 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.