Re: How to deny access to domain shares from a workgroup computer



Hello swb,

A local user account on a workgroup computer not belonging to a domain can have access to a domain share when the share/NTFS permissions on the domain will allow this, for example both are set to Everyone Full control. Everyone group doesn't have the need for a domain SID, it's really everyone.

A local configured username on the workgroup computer will not sync a password with a domain user account even it has the same name, there is no sync running, don't know where you read/find this explanation, or maybe i understand you wrong.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


( I posted a version of the question the Small Business Server
newsgroup - no response - I hope that doesn't violate a posting rule )

Can anyone explain why a local account on a workgroup computer has
access to domain shares (sbs2008) if the local username and password
are synchronized with a domain username and password ?

The local workgroup account is allowed the same access as specified by
NTFS file permissions assigned to the domain account of the same
username/password.

I though the ACL on NTFS file shares on a Domain Controller required
the users access token to include a domain SID for the user.

This seems to be true on all Microsoft networks . . . I audit banks.
They give me a domain admin account for my visit. When I create a
matching account username/password on my notebook, I have access to
all shares on the Microsoft network, only using the domain account
they created for me for terminal service logins.

Is there a Security Option in to disable access to domain shares using
a synchronized local account on a workgroup computer.

Bigger Picture: What is all the Kerberos Trust path stuff about, if
access to shares only requires a synched username/password from any
workgroup ?



.



Relevant Pages

  • RE: cannot log on to user account following password change
    ... cannot log on to user account following password change ... I changed the username on the account in ... | on the sbs box. ...
    (microsoft.public.windows.server.sbs)
  • Re: XP network users authenticate against guest password
    ... >password on all computers. ... The guy who originally configured the machine set up a user account ... for me using my full name as the username, ...
    (microsoft.public.windowsxp.network_web)
  • Re: XP Requires Username and Password?????
    ... it brings up a username and password screen. ... you do have a user account on that XP ... Thank you Malke for you help. ...
    (microsoft.public.windowsxp.network_web)
  • Re: System.ComponentModel.Win32Exception
    ... properties are set to the correct username and password in case you are ... using a user account. ... Note that if your account is a domain acount then ... or password invalid for account name specified. ...
    (microsoft.public.dotnet.general)
  • Re: How to deny access to domain shares from a workgroup computer
    ... account, I am granted the same access as that domain account. ... A local user account on a workgroup computer not belonging to a domain can ... access to domain shares if the local username and password ... I though the ACL on NTFS file shares on a Domain Controller required ...
    (microsoft.public.windows.server.security)