0

I have a windows 2003 server on a domain and client PCs running XP on a workgroup. I have created a file share on the server that should be accessible by the client PCs. I even set the security and sharing to 'Everyone' just to test.

When I try to access the file share from any of the XP machines, I get an authentication prompt that displays asking for credentials, even though 'Everyone' has full control currently (just for testing purposes). Why is it asking to authenticate? I need it to where it doesn't ask to authenticate.

I also made sure passwords were set on all XP machines since I found this could be one possible issue and they all were. Any ideas? Thanks!

4 Answers4

1

By default, the Everyone group does not include the anonymous SID. It did in earlier version of Windows, but was removed for XP/2003. You can restore this behavior with a registry change on the server. http://support.microsoft.com/kb/278259

A better option would be to synchronize the user names and passwords on the XP clients and the server. Just create an account on the XP client and then create the exact same account on the server. When the server challenges the client for credentials, the client first tries the current user. As long as there is an account on the server that matched, it will authenticate into the domain and qualify as "Everyone" then. Setup auto logon on XP and your users probably won't even notice.

sarme
  • 146
  • 2
0

When I have a Home version of Windows in a domain environment, I first strongly recommend they upgrade to a Business/Pro version of Windows so they can properly join the domain.

What I then do is create a startup script to map drives with net use passing in the username/password of a domain user I create specifically for this purpose (and that's in a group called "mapped drive users", which only has Read/Write on the share). This group is then denied and/or removed from the groups of all other domain resources, etc. so that should the credentials be discovered, the user in question really only has access to the share.

It's ugly, but it works.

gravyface
  • 13,947
  • 16
  • 65
  • 100
0

Here's the skinny on what you want to do (though I don't recommend it):

  • Enable the "Guest" account in the domain (it's disabled by default) if the sharing server is a domain controller

  • Enable the server computer's local "Guest" account if the sharing server is a member server (i.e. not a DC)

  • Add "Guests / Full Control" permission to the folder being shared ("just for testing")

The "Guest" account's enbled/disabled status acts as a flag to the operating system that means "Give unauthenticated users access to shared folders / files to which 'Guests' have rights."

To use the "Everyone" group you'll have to set a security option (in addition to enabling the "Guest" account). This is because the "meaning" of the "Everyone" group has changed.

"Everyone" used to mean "everyone in the entire world" in Windows NT 4.0. In subsequent versions of the NT operating systems, a "Security Option" setting "Network access: Let Everyone permissions apply to anonymous users" prevents the "Everyone" group from including anonymous users. Thus, when the "Guest" account is enabled on a stock Windows Server 2003 machine the only shared folders accessible to a "Guest" user still have to contain a "Guests" permission, because "Everyone" doesn't include "Guests" by default.

Once you enable the "Network access: Let Everyone permissions apply to anonymous users" and enable the "Guest" account folders accessible to "Everyone" are really accessible to everyone who can communicate with the server computer.

I strongly advise against actually doing this.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
0

Once setup in Domain Security Policy: Security Options: Network Access: Shares that can be accessed anonymous (Type the share name) Security Options: Network Access: Let Everyone permissions apply to anonymous. User Rights Assignment: Access computer from Network (Guests & ANONYMOUS LOGON) Active Directory: Enable the Guest Account.

Add ANONYMOUS LOGON & Guests credentials to the Share permissions and the Folder Security tab.

You'll find that although you're still unable to browse the available shares you can type the path into the address bar and you will be allowed anonymous access. (\DomainController\AnonymousShare).