question

MichaelKibbe-6332 avatar image
0 Votes"
MichaelKibbe-6332 asked FanFan-MSFT commented

Domain file share with anonymous access

I'm trying to make an anonymous share on a domain joined server (NOT the DC). But I need the share on that domain to allow anonymous access. This is a home / lab environment and it will NOT be exposed to the internet.

I've tried the following:
https://social.msdn.microsoft.com/Forums/en-US/4b5e4b6c-da4e-440a-8286-4f2315684a35/share-permissions?forum=winservergen
but had no luck.

Anyone got any ideas?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
I did a test in my lab, after configured the following settings, the folder can be accessed by the anonymous access.

1,On the shared folder, configure the share permission and NTFS permission with everyone has the read permission.
108802-image.png

2,Also make sure that network folder sharing is enabled in Windows ( Settings -> Network & Internet -> Ethernet -> Change advanced sharing options). In All Networks section, select the options Turn on sharing so anyone with network access can read and write files in the Public folders and Turn off password protected sharing if you trust all devices in your network
108749-image.png

3,Group policy,configure the following policies:
Open the Local Group Policy Editor (gpedit.msc) on a server/computer, which you want to enable anonymous access to.

Go to the following GPO section: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Configure the following policies:

Accounts: Guest Account Status: Enabled
Network access: Let Everyone permissions apply to anonymous users: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Disabled
Network access: Shares that can be accessed anonymous. Specify the shared folder names you want to enable anonymous access to.
108774-image.png
108803-image.png

4,Computer Configuration -> Windows Settings -> Security Settings> Local Policies -> User Rights Assignment.
Deny log on locally policy: Make sure that the Guest account is specified in the Deny log on locally policy .
Deny access to this computer from the network policy should not have Guest as the value.
108750-image.png


Best Regards,



image.png (100.1 KiB)
image.png (22.6 KiB)
image.png (40.4 KiB)
image.png (68.9 KiB)
image.png (64.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelKibbe-6332 avatar image
0 Votes"
MichaelKibbe-6332 answered FanFan-MSFT commented

Thank you FanFan-MSFT for the very detailed answer.

But I'm still getting asked for authentication creditials.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Did you check that all the policies mentioned above were all applied successfully?
How did you access the share?(Which user and computers did you use to access the share?)
Best Regards,

0 Votes 0 ·
MichaelKibbe-6332 avatar image
0 Votes"
MichaelKibbe-6332 answered

The policies were applied (after shut down and turn on, went back in to check and they were still there).
Tried to connect from a non-domain attached computer while logged in with a local userid.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelKibbe-6332 avatar image
0 Votes"
MichaelKibbe-6332 answered FanFan-MSFT commented

I tried this on a non-domain attached server (just in workgroup) and it worked flawlessly.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you mean it worked while access the share from a non-domain attached server, but not working from non-domain attached clients?
I configured the share on a domain member server.
And the local users from a non-domain attached computer (win10 and win8) can access the share without any password requirements.

Best Regards,

0 Votes 0 ·

Non-domain attached server. Worked from both domain attached and non domain attached pcs.

0 Votes 0 ·

I would suggest you check it there are any different settings on the servers and clients.
i will do more research about it, if there are any latest information, i will update here!
Best Regards,

0 Votes 0 ·