RestrictAnonymous issue

  • Thread starter Thread starter A.Klimkin
  • Start date Start date
A

A.Klimkin

Hello NG!

I've got windows workgroup. It is w2k pro SP4 workstations with all current
hotfixes/patches applied. I shared some folder on each workstation and
granted Read&Change permissions to the 'Everyone' builtin security group. I
have created users with unique names on each workstation, and have users
logged on under the respective account.
Something like this:
WKS1 - User1
WKS2 - User2
WKS3 - User3
....

The problem is I cannot list shared folders on any of the workstation and
cannot get access to the shared resource even if I enter the full resource
UNC like \\server\share
I understand that if I create all the user accounts on every workstation, my
issue would be resolved, but what about the anonymous access?
I've read the 246261 KB article 'How to Use the RestrictAnonymous Registry
Value in Windows 2000' and realized that while RestrictAnonymous=0 I should
be able to browse shares and get access to them if Anonymous or Everyone is
granted access by the object's access control list (sure, it is) - but i
cannot!
I know that the default setting for the RestrictAnonymous is 0, and I
checked the actual value more than once. But still have no luck :-(
Does anyone have faced the similar issue and/or have any glues for this?

Thanks in advance,
Andrew
 
I've got windows workgroup.
Click to expand...

What are you doing with one of those, Andrew? Be careful with those
things,..it is kinda like "running with the scissors". :-)
I understand that if I create all the user accounts on every workstation, my
issue would be resolved, but what about the anonymous access?
Click to expand...

I think anonymous requires the Guest account to be activated.
I've read the 246261 KB article 'How to Use the RestrictAnonymous Registry
Value in Windows 2000' and realized that while RestrictAnonymous=0 I should
be able to browse shares and get access to them if Anonymous or Everyone is
granted access by the object's access control list (sure, it is) - but i
cannot!
Click to expand...

"Everyone" is not "Anonymous". Everyone is "...everyone that you know who
they are..." and Anonymous is "...everyone that you don't know who they
are...". Everyone in a workgroup is also only "...everyone on the *one*
machine you are dealing with...", it is not "...everyone in the
workgroup...".

So I think your options are to enable and use the guest account (aka
Anonymous) or create identical accounts passwords on all the machines
(Shadow Accounts).
 
Hi, Phillip.
Nice to see you here, in another newsgroup :)
We met bofore at ms.pub.isa

Phillip Windell said:
What are you doing with one of those, Andrew? Be careful with those
things,..it is kinda like "running with the scissors". :-)
Click to expand...
I know.
Just don't ask :)
workstation,

I think anonymous requires the Guest account to be activated.
Click to expand...
Good point.
I give it a try tomorrow.
"Everyone" is not "Anonymous". Everyone is "...everyone that you know who
they are..." and Anonymous is "...everyone that you don't know who they
are...". Everyone in a workgroup is also only "...everyone on the *one*
machine you are dealing with...", it is not "...everyone in the
workgroup...".

So I think your options are to enable and use the guest account (aka
Anonymous) or create identical accounts passwords on all the machines
(Shadow Accounts).
Click to expand...
I know about guest account, and I know about shadow accounts, but
unfortunately, this is not an option here. The whole idea is to grant ANYONE
access to some share(s). When I say 'anyone' I mean anyone who has connected
to the LAN and got correct ip address, regardless of their
workgroup/username/password etc.

The functionality I'm asking for is at least not criminal and is quite
documented feature of Windows network (again, take a look at KB246261). But
for some f***ing reason in my case it is not working as expected (or I miss
something important).

Reagards,
Andrew
 
Andrew Klimkin said:
Hi, Phillip.
Nice to see you here, in another newsgroup :)
We met bofore at ms.pub.isa
Click to expand...

....and about a half dozen others I think :-)
I know about guest account, and I know about shadow accounts, but
unfortunately, this is not an option here. The whole idea is to grant ANYONE
access to some share(s). When I say 'anyone' I mean anyone who has connected
to the LAN and got correct ip address, regardless of their
workgroup/username/password etc.

The functionality I'm asking for is at least not criminal and is quite
documented feature of Windows network (again, take a look at KB246261). But
for some f***ing reason in my case it is not working as expected (or I miss
something important).
Click to expand...

What you are asking for is essentially Anonymous access. Workgroup machines
will never have any concept of an account that is not in their own local
SAM. So to the best of my knowledge the "Guest" account is the only thing
that is the equivalent of "anonymous".

This will also let anyone who is not from the local LAN but may be routed
there and there won't be any such thing as the concept of a "correct" or
"incorrect" IP Address.
 
Finally I resolved the issue. Thanks, Phillip, for the idea of enabling of
the Guest account.
How the things works within windows workgroup, as far as I discovered:
The ability of shares browsing and access depends on two things -
RestrictAnonymous registry setting (see here for gory details:
http://www.microsoft.com/resources/...chref/en-us/w2k3tr_actok_tools.asp?frame=true)
and local Guest account state.

1. When RestrictAnonymous is NOT "0" (1 or 2), regardless of Guest account
state, I've got "Access denied" when I try to connect to the workstation.
2. When RestrictAnonymous IS "0" AND Guest account is disabled, I've got
"Enter network password" when I try to connect to the workstation.
3. When RestrictAnonymous IS "0" AND Guest account is ENABLED, I can
succsessfully see the list of shared resources on this workstation (without
having to enter any usernames/passwords), and can access the shares where
'Everyone' has granted permission to do so.

I don't know if the above mentioned 3rd configuration would work if Guest's
account password is not blank - I haven't tested it because it is out of my
research scope ;-)

That's all, folks :)
Thanks everyone for help.

Regards,
Andrew
 
Back
Top