Sign in with
Sign up | Sign in
Your question

disable passing local credentials to SMB servers

Last response: in Windows XP
Share
June 15, 2005 8:35:36 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I am having an issue, but then again, aren't we all?


QUESTION 1:
Our environment is a large organization in a workgroup setting (no
domain/AD).

All computers are running Windows XP Pro (SP2)

We have a generic local user account setup for each conference room
computer in our organization, let's say...

username: confroom
password: confroom

This enables any user to login and get basic access to a computer. i.e.
web browsing/email.

The confroom account also, is a valid account for email and file services.

We are using UNC paths to access network shares. Apparently mapping a
drive using different user credentials is too complicated for our users.

When users try to access an SMB network share, the local user info is
passed to, and accepted by the remote server.

The problem is that this generic user has no rights to any network shares.

I want to prevent this auto-login process from happening.

I would like the user to be presented with a login box.

EXAMPLE:

1. Dilbert walks into a conference room and wants to use computer.
2. Dilbert logins locally to computer using confroom account
3. Dilbert attempts to use start-Run to access \\server1\share
4. Dilbert hits enter and computer uses confroom account to authenticate
5. Dilbert gets back error message that, "\\server1\share is not
accessible...Network access is denied."

I just love Dilbert


EXTRA CREDIT QUESTION 2:
When a user connects to a server via UNC paths from the run line, is
there any way to disconnect/logout from the server without restarting or
logging off the machine?
Anonymous
June 15, 2005 8:35:37 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

On the sharing computer:

Go to control pannel

Click users

Add the user name(s) that you want to DENY access. Make sure to give them
"Guest" privledges AND disable the account.

Close the control pannel and the user manager.

On the share:
Go into the security settings of the share by right-clicking on it and
selecting "sharing an security" (from the computer you are sharing the
file.)

on the sharing tab click "permissions"

Add the username you want to disable

Select the "Deny" checkboxes for that user. (Make sure you select only the
user you wish to deny, and not "everyone")

Click "OK" repeatedly to exit.

This should deny only that username.

-David Rios

"PJ" <pjleflar@yahoonoreply.com> wrote in message
news:42B09118.7080104@yahoonoreply.com...
>I am having an issue, but then again, aren't we all?
>
>
> QUESTION 1:
> Our environment is a large organization in a workgroup setting (no
> domain/AD).
>
> All computers are running Windows XP Pro (SP2)
>
> We have a generic local user account setup for each conference room
> computer in our organization, let's say...
>
> username: confroom
> password: confroom
>
> This enables any user to login and get basic access to a computer. i.e.
> web browsing/email.
>
> The confroom account also, is a valid account for email and file services.
>
> We are using UNC paths to access network shares. Apparently mapping a
> drive using different user credentials is too complicated for our users.
>
> When users try to access an SMB network share, the local user info is
> passed to, and accepted by the remote server.
>
> The problem is that this generic user has no rights to any network shares.
>
> I want to prevent this auto-login process from happening.
>
> I would like the user to be presented with a login box.
>
> EXAMPLE:
>
> 1. Dilbert walks into a conference room and wants to use computer.
> 2. Dilbert logins locally to computer using confroom account
> 3. Dilbert attempts to use start-Run to access \\server1\share
> 4. Dilbert hits enter and computer uses confroom account to authenticate
> 5. Dilbert gets back error message that, "\\server1\share is not
> accessible...Network access is denied."
>
> I just love Dilbert
>
>
> EXTRA CREDIT QUESTION 2:
> When a user connects to a server via UNC paths from the run line, is there
> any way to disconnect/logout from the server without restarting or logging
> off the machine?
June 16, 2005 1:06:40 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Thanks for the suggestion, but I am already getting an access denied
situation.

I need a login box to allow me to login with different username and
password.

Also, while we are connecting to an SMB server it is a Mac OSX Server.

I need a client only solution, i.e. no server changes are allowed.

I just dont want the machine to pass the local username and password
when attempting to connect to \\server1\share.

We have tried setting the following local security policy to disabled:

1. Network Access: Do not allow storage of credentials or .NET passports
for network authentication.

2. Microsoft Network Client: Send unencrypted password to third-party
SMB servers.


David Rios wrote:
> On the sharing computer:
>
> Go to control pannel
>
> Click users
>
> Add the user name(s) that you want to DENY access. Make sure to give them
> "Guest" privledges AND disable the account.
>
> Close the control pannel and the user manager.
>
> On the share:
> Go into the security settings of the share by right-clicking on it and
> selecting "sharing an security" (from the computer you are sharing the
> file.)
>
> on the sharing tab click "permissions"
>
> Add the username you want to disable
>
> Select the "Deny" checkboxes for that user. (Make sure you select only the
> user you wish to deny, and not "everyone")
>
> Click "OK" repeatedly to exit.
>
> This should deny only that username.
>
> -David Rios
>
> "PJ" <pjleflar@yahoonoreply.com> wrote in message
> news:42B09118.7080104@yahoonoreply.com...
>
>>I am having an issue, but then again, aren't we all?
>>
>>
>>QUESTION 1:
>>Our environment is a large organization in a workgroup setting (no
>>domain/AD).
>>
>>All computers are running Windows XP Pro (SP2)
>>
>>We have a generic local user account setup for each conference room
>>computer in our organization, let's say...
>>
>>username: confroom
>>password: confroom
>>
>>This enables any user to login and get basic access to a computer. i.e.
>>web browsing/email.
>>
>>The confroom account also, is a valid account for email and file services.
>>
>>We are using UNC paths to access network shares. Apparently mapping a
>>drive using different user credentials is too complicated for our users.
>>
>>When users try to access an SMB network share, the local user info is
>>passed to, and accepted by the remote server.
>>
>>The problem is that this generic user has no rights to any network shares.
>>
>>I want to prevent this auto-login process from happening.
>>
>>I would like the user to be presented with a login box.
>>
>>EXAMPLE:
>>
>>1. Dilbert walks into a conference room and wants to use computer.
>>2. Dilbert logins locally to computer using confroom account
>>3. Dilbert attempts to use start-Run to access \\server1\share
>>4. Dilbert hits enter and computer uses confroom account to authenticate
>>5. Dilbert gets back error message that, "\\server1\share is not
>>accessible...Network access is denied."
>>
>>I just love Dilbert
>>
>>
>>EXTRA CREDIT QUESTION 2:
>>When a user connects to a server via UNC paths from the run line, is there
>>any way to disconnect/logout from the server without restarting or logging
>>off the machine?
>
>
>
!