hypercube
asked on
AzureAD logon User needs access to local file shares.
The office has a peer-to-peer network.
A Windows 10 Pro workstation is set up as a file server.
Up to now the server access has been wide open.
We are introducing a new workstation as file server.
We have decided to Enable Password Protected Sharing AND to provide the credentials by matching client user logons to users set up on the "file server" - that, in favor of storing Windows credentials for a server user on the client machines.
However, the owner has a laptop with an AzureAD logon. This seems to mess up accessing the new "file server".
I've not found the magic formula for allowing him to get access.
All of the other users access just fine - but they don't have AzureAD logons - they are just non-Microsoft local users.
A Windows 10 Pro workstation is set up as a file server.
Up to now the server access has been wide open.
We are introducing a new workstation as file server.
We have decided to Enable Password Protected Sharing AND to provide the credentials by matching client user logons to users set up on the "file server" - that, in favor of storing Windows credentials for a server user on the client machines.
However, the owner has a laptop with an AzureAD logon. This seems to mess up accessing the new "file server".
I've not found the magic formula for allowing him to get access.
All of the other users access just fine - but they don't have AzureAD logons - they are just non-Microsoft local users.
ASKER
yo-bee: Yes, you have made those recommendations and I'm actively implementing some of them with one of my major clients. This, only because it's now what they need and want.
But, the client that I'm talking about here, isn't of that mindset so far.
I need to fix an immediate problem.
*I'm* not on Azure as I'm not part of their group.
But I have full access on their behalf (really, THEY have access).
I don't see anything on the Microsoft 365 admin center or in the Azure Active Directory admin center that would allow me to to indicate that this one user is somehow associated with "Azure" nor how to change that. None of the other users are. So, naturally, I want to change how this one user logs in OR create a new user profile that will carry along the Office account.
"You can check in any time you like, but you can never leave" ... Eagles: Hotel California
But, the client that I'm talking about here, isn't of that mindset so far.
I need to fix an immediate problem.
*I'm* not on Azure as I'm not part of their group.
But I have full access on their behalf (really, THEY have access).
I don't see anything on the Microsoft 365 admin center or in the Azure Active Directory admin center that would allow me to to indicate that this one user is somehow associated with "Azure" nor how to change that. None of the other users are. So, naturally, I want to change how this one user logs in OR create a new user profile that will carry along the Office account.
"You can check in any time you like, but you can never leave" ... Eagles: Hotel California
You can create a local user account should do the trick.
https://support.microsoft.com/en-us/help/4026923/windows-10-create-a-local-user-or-administrator-account
https://support.microsoft.com/en-us/help/4026923/windows-10-create-a-local-user-or-administrator-account
ASKER
yo_bee: That's the first thing I tried. It does not work as one might expect - at all.
Also, if the user is *different* then how to keep the Office license?
Also, if the user is *different* then how to keep the Office license?
Office license is authenticated within the application. What you are seeing happen with this one user is that he is logging in to the computer with the Azure account and the application is using a SSO (single sign-on). I
ASKER
yo_bee: Thank you!
Let me try this to see if I understand:
The User Profile is set up to have an SSO at Windows logon.
With the SSO, the user can access Office.
But I don't want the ()*&)&## SSO because it's causing "normal" things to not work and is causing "abnormal" things to happen.
So, I would like to create a logon that's not a SSO:
- If I try to do that within the workstation itself (create a local user) this fails.
- Advice says to do that within the Azure AD context. The Azure AD context won't let me use the same email address, implying that I have to add a *different* user to accomplish this. And, this concerns me about his email files. If I add a different user, do I have to add a license for Office or what? I don't really want to delete the current user as then I'm concerned that the files go away as well.... ???
Let me try this to see if I understand:
The User Profile is set up to have an SSO at Windows logon.
With the SSO, the user can access Office.
But I don't want the ()*&)&## SSO because it's causing "normal" things to not work and is causing "abnormal" things to happen.
So, I would like to create a logon that's not a SSO:
- If I try to do that within the workstation itself (create a local user) this fails.
- Advice says to do that within the Azure AD context. The Azure AD context won't let me use the same email address, implying that I have to add a *different* user to accomplish this. And, this concerns me about his email files. If I add a different user, do I have to add a license for Office or what? I don't really want to delete the current user as then I'm concerned that the files go away as well.... ???
ASKER
I guess I'd like to understand what constitutes a "different" user in that I tried using the same email address and it didn't like it!
A local account does not rely on an email address so you should not need it.
ASKER
When I interact on the Azure AD site, it asks for it.
When I interact on the client computer, it fails altogether. Thus, the attempt on the Azure site.
When I interact on the client computer, it fails altogether. Thus, the attempt on the Azure site.
I am sorry, but I am getting lost.
You have a scenario that consist of a local workgroup. All computer are joined to this workgroup and they access a file share that is hosted by a Windows machine. Are they prompted to enter credentials?
You have a scenario that consist of a local workgroup. All computer are joined to this workgroup and they access a file share that is hosted by a Windows machine. Are they prompted to enter credentials?
ASKER
Up to now the "server" has been wide open but with the introduction of a new machine, I've switched it to "matching username/password" pairs - "server" and client(s). So, with that, they aren't prompted to enter credentials. That was a choice.
The only problem is that the boss can't gain access with his Azure AD logon in Windows.
The "be prepared" problem is that we may lose something (e.g. email files) on the Office 365 end of things for him (only).
So, I'm being pretty careful about this and asking lots of questions.
The only problem is that the boss can't gain access with his Azure AD logon in Windows.
The "be prepared" problem is that we may lose something (e.g. email files) on the Office 365 end of things for him (only).
So, I'm being pretty careful about this and asking lots of questions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A "normal" user is NOT prompted to enter credentials because they have matching username/password between client and server.
So, that isn't the normal behavior UNLESS there is no match.
Matching is the intent.
Saved Windows Credentials isn't the intent.
But yes, I suppose I could do that even if reluctantly. It's not a bad Idea in this case. I've been rather narrow-minded about solving this.
So, that isn't the normal behavior UNLESS there is no match.
Matching is the intent.
Saved Windows Credentials isn't the intent.
But yes, I suppose I could do that even if reluctantly. It's not a bad Idea in this case. I've been rather narrow-minded about solving this.
ASKER
I solved this for the original user by adding credentials in his laptop so he could access the files on the "server" workstation.
Then, I ran into a similar problem (but NOT the same) with another user.
In this case, the client login Full Name was "John Smith" with shortname "john".
I believe he had provided his email address to Microsoft in setting up this user. Otherwise, it looks like an almost-normal local user. He logs into Windows with "John Smith".
He lost access to the "server" workstation where, I believe, the username was "john".
Eventually, I added credential for "john" on the client and matched that with a username/password for "john" on the "server" workstation.
This is MOST confusing and it's not the first time I've run into situations like this when Microsoft Office 365 is being used. I'm rather sure it has to do with how the user is set up or is nicely "corrupted" when Office 365 is set up.
Proof that this did come up recently and separately: https://www.experts-exchange.com/questions/29131345/Windows-10-User-Name-and-Full-Name-What-are-the-rules.html
Then, I ran into a similar problem (but NOT the same) with another user.
In this case, the client login Full Name was "John Smith" with shortname "john".
I believe he had provided his email address to Microsoft in setting up this user. Otherwise, it looks like an almost-normal local user. He logs into Windows with "John Smith".
He lost access to the "server" workstation where, I believe, the username was "john".
Eventually, I added credential for "john" on the client and matched that with a username/password for "john" on the "server" workstation.
This is MOST confusing and it's not the first time I've run into situations like this when Microsoft Office 365 is being used. I'm rather sure it has to do with how the user is set up or is nicely "corrupted" when Office 365 is set up.
Proof that this did come up recently and separately: https://www.experts-exchange.com/questions/29131345/Windows-10-User-Name-and-Full-Name-What-are-the-rules.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Being that you are on Azure to authenticate the laptop and your file server/workstation is part of a Workgroup you have the disconnect there.
The way I see you getting around this without implementing AD is to get the user to enter the local servers credentials and checking the box to save them.
Most of your question can easily be solved with an AD Domain.