Re: Anonymous Printer Share - Access Denied
anonymous_at_discussions.microsoft.com
Date: 04/01/04
- Next message: herveal: "récupération automatique de fichier système - automatic system restore"
- Previous message: sydney: "local security policy"
- In reply to: Steven L Umbach: "Re: Anonymous Printer Share - Access Denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Apr 2004 06:31:12 -0800
Wow, you're right, anything will do in the password dialog
box when the guest account is enabled. However, one of my
policies is that IT will never ask for their password, so
adding a mirrored account for their machines is not an
option :(. Maybe i can get a dialog box to pop up when they
try to print if they're not authenticated with the domain
somehow. (I'm a bit disappointed that this is so difficult,
i was under the impression that windows was quick and
easy). I guess i could write a script to put in their
startup folder that will authenticate when they logon
locally... Just brainstorming now.
Thanks again for your help, I really do appreciate it.
John
>-----Original Message-----
>I am not sure about that but generally you don't want to
enable the guest
>account on the domain controller as that is the guest
account for the domain
>which could give unathenticated users potential access on
all domain
>controllers shares, but having said that you said that a
credentials box
>pops up. Do they have to enter a domain user/password in
it or will anything
>do? I have seen where sometimes a paasword box will pop up
when the guest
>account is enabled and anything can be entered into it and
access will be
>gained. I think that is because the user trying to gain
access is logged
>onto a computer with the same name but different password
than a domain user
>account. You can use Computer Management/shared
folders/sessions to see how
>a connected user is being authenticated. The link below
may also be
>pertinent as it talks about the need for permissions to the
>\winnt\system32\spool folder.
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;271901
>
>Another solution may be to create user accounts in the
domain that use the
>same logon name and password as those non domain users use
to logon to their
>computers. Then they should get pass through access to
domain resources
>without actually logging onto the domain - I do that all
the time at home
>with my laptop. Of course those users would potentially
have access to any
>domain resources available to the users group and password
changes would
>need to be synchronized. However you could add those users
to their own
>group and add them to the "deny access to this computer
from the network"
>for the domain or at the OU level to prevent them from
accessing resources
>that they should not. --- Steve
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:16d501c41772$5ad20380$a501280a@phx.gbl...
>> Thanks for the reply, I made sure that was set in all 3
>> security policies to no avail. Perhaps it is because the
>> box hosting the shares is a domain controller?
>>
>> Thanks again for the reply,
>> John
>> >-----Original Message-----
>> >I have never tried what you are doing but check that the
>> computer offering
>> >the share does not have the security option effective
>> setting for
>> >"additional restrictions for anonymous connections" in
>> Local Security Policy
>> >set to anything but "none rely on default permissions" to
>> see if that
>> >helps. --- Steve
>> >
>> >"John" <anonymous@discussions.microsoft.com> wrote in
message
>> >news:1658201c41745$8923e5f0$a501280a@phx.gbl...
>> >> We have just migrated from unix to windows 2000 server,
>> >> with windows 2000 workstations. The domain setup and
group
>> >> policy is great, but we're having trouble with non-domain
>> >> machines being able to install and print to the shared
>> >> printers.
>> >>
>> >> I have enabled the guest account which has full access to
>> >> the shared printers on the domain controller, as well as
>> >> giving everyone full access to the printers. In all
>> >> security policies, everyone has the ability to access the
>> >> domain controller from the network.
>> >>
>> >> The problem is that when you use Network Neighborhood to
>> >> browse to the domain controller, it gives a password
dialog
>> >> box which must be populated. If a user on a non-domain
>> >> machine connect to the pdc before printing, everything
>> >> works fine. But if those machines are restarted (which
>> >> happens 12-15 times a day), the user must browse to
the pdc
>> >> using network neighborhood and enter a password before
>> >> everything will work again.
>> >>
>> >> When a non-domain user/box tries to print, it gives an
>> >> access denied in the printer status. It seems to me that
>> >> when everyone access is enabled, everyone should be
able to
>> >> print. However, that is not the case.
>> >>
>> >> What settings do i need to change to allow
>> >> non-authenticated users to browse the shares and
printers?
>> >> Users have to log into the domain before they can print,
>> >> and i'm catching much heat over this.
>> >>
>> >> I've spent the last 2 days researching this, and the
little
>> >> information i could find in microsoft's site is wrong (as
>> >> in the options do not exist where they say, or the
command
>> >> line arguments are just plain wrong)
>> >>
>> >> I've read a few posts that say what i want to do is
>> >> impossible, but i find that difficult to believe.
>> >>
>> >> Thanks in advance,
>> >> John
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: herveal: "récupération automatique de fichier système - automatic system restore"
- Previous message: sydney: "local security policy"
- In reply to: Steven L Umbach: "Re: Anonymous Printer Share - Access Denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
